Weak artificial intelligence (AI) governance practices pose a growing risk of data breaches, warns a report published by Moody’s Ratings.
Large numbers of companies and organizations “have no rules in place to govern the safe use of new artificial intelligence (AI) tools in the workplace,” despite the routine use of AI chatbots in everyday life and increasing integration of AI into business processes, said the report on Moody’s 2025 cybersecurity survey of nearly 2,000 rated global organizations.
“Without restrictions, employees may inadvertently share sensitive or proprietary data with public AI platforms, increasing the likelihood of data breaches, intellectual property loss, and reputational harm,” according to the survey report titled “Weak artificial intelligence governance practices pose growing risk of data breaches,” published on Oct. 1.
Read more: Global Financial Watchdogs to Ramp Up Monitoring of Artificial Intelligence
Moody’s explained that submitting proprietary information into chatbots like OpenAI’s ChatGPT or Google’s Gemini “is likely to expose sensitive data to third parties, potentially violating internal data handling policies or confidentiality agreements or leading to unintentional data leaks, especially if the AI tool retains or learns from user inputs.”
The risks of such exposure can range from data breaches to intellectual property loss and even reputational damage, the report continued.
Nearly one-quarter of survey respondents (22%) revealed they have no policies in place to restrict staff from using the firm’s internal and proprietary data with publicly available AI chatbots, the report said. “In North America, 80% of respondents have implemented these restrictions, but in Asia Pacific (APAC) 35% of respondents said they have not.”
Moody’s said local governments are among the most vulnerable with only 48% implementing policies governing the use of AI tools. “Non-financial companies score highest with 78% having such policies in place.”
Attack Severity to Intensify
Cyberattacks against the companies and organizations that Moody’s rates have been higher over the last 10 years than at any point before, said the report, noting, however, that they have dropped from an all-time high in 2020. (See graphic below).
practices pose growing risk of data breaches,” page 3, exhibit 2.
“So far, the victims of attacks have had sufficient resources to cope. There have only been 25 cyber-related credit rating actions against 16 [debt] issuers,” the report continued. (Editor’s note: The survey gauges the cybersecurity practices of global organizations that Moody’s rates and collects data on this risk, which can affect the credit strength of all debt issuers.)
“Nonetheless, as digitalization broadens and new technologies such as generative AI and quantum computing emerge, attack severity will intensify and costs will increase,” Moody’s said.
Risks From Third-Party Software Suppliers
Another area of concern highlighted by the cyber survey report is third-party software, which increases the attack surface, providing more entry points for cybercriminals to exploit, the report said.
While modern software systems often rely on a complex network of third-party vendors and suppliers, many organizations fail to rigorously assess third-party cybersecurity practices or manage open-source software risks, which can leave them exposed to supply chain attacks, Moody’s added.
“This interconnectedness means that vulnerabilities in one supplier’s software can pass throughout the entire supply chain, affecting multiple organizations.”
Moody’s noted that cybercriminals favor supply-chain attacks because they provide a better return on investment. “By compromising one vendor, they can attack a wide swath of that vendor’s end users.”
Despite the risks, Moody’s survey found that 14% of respondents have never reviewed their software suppliers’ cybersecurity practices and only 65% review these practices annually. That number drops to 48% for healthcare, housing, and higher education respondents. “For not-for-profit hospitals, the figure is 43%, and most of these hospitals (53%), say they only perform a review every few years.”
In response to this growing risk, Moody’s said, there has been an increase in the number of organizations that require vendors, such as software providers, “to carry cyber insurance if their staff or products have access to internal IT systems.”
Gaps in Key Cyber Defenses
Despite the escalating threat and growing sophistication of cyberattacks, Moody’s said, many organizations are failing to consistently implement critical cybersecurity measures, such as daily backups of data and multi-factor authentication (MFA) for network access.
Moody’s noted that only 78% of issuers perform daily backups, while 22% – including some large institutions – do not perform any backup scanning at all, which reveals “a critical gap in cyber hygiene.”
Multi-factor authentication, which fortifies user accounts by requiring multiple forms of verification before a network can be accessed, is also being inconsistently enforced, Moody’s indicated.
Enforcement of MFA for all applications stands at only 75%, despite the fact that Microsoft’s security division estimates it can prevent 99.9% of attacks targeting user accounts, the ratings agency emphasized.
“Some organizations only require MFA for remote access, potentially leaving other parts of their IT environment exposed.”
Cybersecurity Governance
On a more positive note, Moody’s said, there are signs of improved executive oversight of cyber matters.
“Organizations are making strides in cybersecurity governance, with a growing number of senior cyber managers now reporting directly to chief executives or financial chiefs. This shift enhances visibility and prioritization of cyber risk at the executive level,” said the report.
In Moody’s 2025 survey, 28% of cybersecurity respondents revealed they report to the CEO or CFO – a 13% increase from the last survey in 2023.
About Moody’s 2025 Issuer Cyber Survey
This year, Moody’s conducted its third cybersecurity survey of the debt issuers it rates to better understand how cyber risk is evolving, and what private enterprises and government-related entities are doing to manage the risk. Between April and July, the ratings agency collected 1,952 responses globally from the nearly 9,000 issuers it surveyed, resulting in a response rate of 22%.
The survey responses were compared across five sectors: corporate; financial services; infrastructure (i.e. airports, toll roads, utilities etc.); healthcare, housing, and higher education; and regional and local governments. Moody’s said survey data provides insight into how issuers manage four key areas of cyber risk: cyber governance, cybersecurity operations, cyber risk transfer (i.e. insurance) and artificial intelligence (AI).
Was this article valuable?
Here are more articles you may enjoy.
Tokio Marine Weighs More Than $10 Billion of International M&A 
High Demand for Gen AI Insurance; Buyers Say They’ll Pay More: Report 
Hedge Funds Targeting Fire Insurance Hit a Wall in California 
Acrisure to Lay Off 400 Employees, Citing Tech Advancements and AI Integration 
