As cyberattacks and data breaches grow bigger and more frequent, companies that don’t build strong cybersecurity defenses may feel a direct financial hit even before hackers show up. In a report published March 30, S&P Global Ratings warned that “…companies that do not incorporate cyber risk mitigation strategies into their corporate governance and risk management frameworks could face ratings pressure, even before an attack.”
S&P Global Ratings cited Check Point Research that showed average weekly cyberattacks per organization went up 53% in 2021 as compared to 2020, with even worse numbers for data-rich sectors. The agency noted that most companies that have endured a cyberattack have been able to manage the impact without harming credit ratings. At the same time, “negative rating actions where a cyberattack was a contributing factor more than doubled for 2020 and 2021, relative to the preceding two-year period.”
The S&P analysts recommend that companies “embed cyber security into their risk-mitigation strategies to reduce their vulnerability.” If the credit agency decides that a company’s cyber risk mitigation strategies are not strong enough, this could result in a lower rating than similarly positioned companies.
A spokesperson from The Institute of Internal Auditors said cyber-related risk is a highly significant risk across all industries and sectors and credit ratings are based on perceived organizational risk.
“All companies should be able to demonstrate that they have effective internal controls in place to minimalize, react, respond, and recover from cybersecurity incidents,” the representative said. “Governance over cybersecurity is more effective when objective assurance is provided by a robust internal audit function operating independently from management.”
S&P Global expects attacks to keep growing due to the overall migration to the cloud and the decentralization of the workforce. Both these trends expand the attack surface and open up new platform vulnerabilities.
Purandar Das, CEO and founder at Sotero, said credit rating being impacted by preparedness and past claims related to breaches is a great way to initiate meaningful action.
“Credit ratings impact both the top and bottom line of a business,” Das said. “The business will absolutely pay attention to how their security stack ups and how much it could adversely impact their financials.”
Although most credit rating actions to date have arisen after a cyberattack, the S&P report suggests that “the level of cyber risk preparedness is likely uneven across corporate issuers and sectors and will become increasingly important in our analysis of issuers’ management and governance.”
Until recently, organizations have been able to ignore the impact of data breaches or losses, according to Das, but that luxury is going away due to consumer lawsuits and new privacy regulations.
“Without heavy financial or legal penalties, companies have no motivation or driver to actually take losing data seriously,” he said. “They have relied on insurers to help defray part of the impact of a data breach or loss; obviously, insurers are feeling the pinch of escalating claims and will or have started to narrowly define their responsibilities.”
The S&P report notes that cyber insurance premiums are on the rise and that companies with a more resilient cybersecurity strategy will get better rates which could incentivize better cyber hygiene.
How S&P assesses cyber risk preparedness
The credit agency said it will use NIST standards to measure a company’s cybersecurity. The agency will consider how a company addresses these five core NIST framework functions:
- Identify cyber risk: The issuer understands its external environment and has put in place a cybersecurity strategy that addresses key risks and allocates resources to govern and test the strategy as a part of its broader ERM framework. The issuer is knowledgeable of its physical and digital assets, dependencies on third parties, has set risk tolerances and created board accountability.
- Protect assets: This entails implementing cyber hygiene practices such as firewalls,
antivirus software and staff training. The issuer conducts regular systems access audits and has controls around financial payments.
- Detect cyberattacks: Establish tools and processes to monitor systems and detect
- Respond and limit damage: Have a defined incident response plan that is frequently tested to contain and mitigate the impact of cyberattacks, communicate with the relevant stakeholders and analyze the incident for lessons learned.
- Recover: Restoring data from backups, reconfiguring systems or using other means of regaining systems access, communicating to key stakeholders and incorporating lessons learnt into their risk-management policies and practices.
If a company suffers a cyberattack, S&P analysts would consider consider the impact of the attack on these elements of a credit score:
- Competitive position: a cyber incident could harm a company’s competitive position due to reputational damage, customer attrition, business disruption or increased costs that impact profitability.
- Liquidity: A company’s liquidity position could be negatively affected due to financial losses stemming from ransomware, security investments and payments to third-party consultants, litigation, customer subsidies, etc.
- Cash flow/leverage: Higher operating costs or investments to address cyber deficiencies could have a negative impact on cash flow, lowering its profitability and increasing leverage.
- M&G: A cyber incident could expose material deficiencies in the comprehensiveness of enterprise-wide risk management standards and tolerances, board effectiveness or other governance factors leading to a negative revision of our M&G assessment and/or ESG indicator assessments.
Losses from cyberattacks increase
S&P Global analysts also expect the financial toll of these attacks to get worse as well, noting that “this upward trend is only natural given the increasing digitization of customer records and content.” The authors also note that sectors with the most sensitive data–healthcare and finance to name only two–have the greatest frequency of cyberattacks. The business problems that often result from a cyberattack, such as financial losses, contingent liabilities and business interruption makes the risk to an organization’s credit rating higher as well.
Healthcare companies faced the biggest increase in the average total cost of a data breach, with that financial hit passing $9 million in 2021, compared to $7 million in 2020. Hospitality and retail companies also saw significant increases in the average total cost of a data reach with both sectors dealing with an average cost of more than $3 million per incident.
The report authors also note the increase in attacks on software service providers, which increases systemic risk and highlights the need for those providers to improve their own strategy and spending around cybersecurity.