Credit agency warns that weak cybersecurity defenses could hurt a company’s credit rating, even before an attack
S&P Global Credit is adding cybersecurity to the list of risk factors for assessing credit ratings and will use NIST standards for the assessment process.
As cyberattacks and data breaches become larger and more frequent, businesses that don’t put strong cybersecurity defenses in place can feel a direct financial hit before hackers even show up. In a report published on March 30S&P Global Ratings warned that “…companies that do not incorporate cyber risk mitigation strategies into their corporate governance and risk management frameworks could face rating pressure, even before an attack”.
S&P Global Ratings quoted Searching for checkpoints which showed that average weekly cyberattacks per organization increased by 53% in 2021 compared to 2020, with even worse figures for data-rich sectors. The agency noted that most businesses that suffered a cyberattack were able to manage the impact without hurting credit ratings. At the same time, “negative rating actions where a cyberattack was a contributing factor more than doubled for 2020 and 2021, compared to the previous two-year period.”
S&P analysts recommend that companies “integrate cybersecurity into their risk mitigation strategies to reduce their vulnerability.” If the credit reporting agency decides that a company’s cyber risk mitigation strategies are not strong enough, it could result in a lower rating than companies in a similar position.
A spokesperson for the Institute of Internal Auditors said cybersecurity risk is a very significant risk across all sectors and industries and that credit ratings are based on perceived organizational risk.
“All companies should be able to demonstrate that they have effective internal controls in place to minimize, respond to, respond to, and recover from cybersecurity incidents,” the representative said. “Cybersecurity governance is most effective when objective assurance is provided by a strong internal audit function operating independently of management. »
SEE: Nearly two-thirds of ransomware victims paid ransoms last year
S&P Global expects attacks to continue to grow due to global migration to the cloud and decentralization of the workforce. Both of these trends expand the attack surface and open up new platform vulnerabilities.
Purandar Das, CEO and Founder of Sotero, said credit rating affected by preparation and past claims related to breaches is a great way to initiate meaningful action.
“Credit ratings impact both a company’s revenue and bottom line,” Das said. “The company will be absolutely mindful of how its security stacks up and how badly that could impact its finances.”
Although most credit rating actions to date have taken place after a cyberattack, the S&P report suggests that “levels of cyber risk preparedness are likely to be uneven across companies and sectors and will become increasingly important in our analysis of the management and governance of issuers”.
Until recently, organizations could ignore the impact of data breaches or loss, Das says, but that luxury is slipping away due to consumer lawsuits and new privacy regulations.
“Without hefty financial or legal penalties, businesses have no incentive or incentive to take data loss seriously,” he said. “They relied on insurers to help cover some of the impact of a data breach or loss; clearly, insurers are feeling the pinch of escalating claims and are going or have started to narrowly define their responsibilities.
The S&P report notes that cyber insurance premiums are on the rise and companies with a more resilient cybersecurity strategy will get better rates, which could incentivize better cyber hygiene.
How S&P assesses cyber risk preparedness
The credit bureau said it would use NIST standards to measure a company’s cybersecurity. The agency will examine how a company approaches these five core functions of the NIST framework:
- Identify cyber risk: The issuer understands its external environment and has a cybersecurity strategy in place that addresses key risks and allocates resources to manage and test the strategy as part of its broader ERM framework. The issuer knows its physical and digital assets, its dependencies on third parties, has defined risk tolerances and created board accountability.
- Protect assets: This involves implementing cyber-hygiene practices such as firewalls,
antivirus software and staff training. The issuer regularly performs system access audits and exercises controls over financial payments.
- Detect cyberattacks: Implement tools and processes to monitor systems and detect
- Respond and mitigate damage: Have a defined incident response plan that is frequently tested to contain and mitigate the impact of cyberattacks, communicate with relevant stakeholders, and analyze the incident for lessons learned.
- Recovery: restoring data from backups, reconfiguring systems or using other means to recover access to systems, communicating with key stakeholders, and incorporating lessons learned into their risk management policies and practices.
If a company experiences a cyberattack, S&P analysts would consider considering the impact of the attack on these elements of a credit score:
- Competitive position: A cyber incident could harm a company’s competitive position through reputational damage, customer attrition, business disruption or increased costs that impact on profitability.
- Liquidity: A company’s liquidity position can be negatively affected due to financial losses resulting from ransomware, investments in security and payments to third-party consultants, litigation, customer subsidies, etc.
- Cash Flow/Leverage: Higher operating costs or investments to address cyber deficiencies could negatively impact cash flow, reducing its profitability and increasing leverage.
- M&G: Cyber Incident Could Reveal Material Deficiencies in Completeness of Enterprise-Wide Risk Management Standards and Tolerances, Board Effectiveness, or Other Governance Factors, Resulting in a Negative Review our M&G assessment and/or ESG indicator assessments.
Losses from cyberattacks are increasing
S&P Global analysts also expect the financial toll of these attacks to worsen as well, noting that “this upward trend is only natural given the increasing digitization of customer records and content.” . The authors also note that sectors with the most sensitive data – healthcare and finance to name two – have the highest frequency of cyberattacks. The business issues that often result from a cyberattack, such as financial loss, contingent liabilities, and business interruption, also increase the risk to an organization’s credit rating.
WATCH: “Browser-in-browser” attacks: A devastating new phishing technique emerges
Healthcare businesses faced the largest increase in the average total cost of a data breach, with that financial hit exceeding $9 million in 2021, up from $7 million in 2020. Hospitality businesses and Retail businesses have also seen significant increases in the average total cost of a data reach, with both industries facing an average cost of more than $3 million per incident.
The report’s authors also note the increase in attacks against software service providers, which increases systemic risk and highlights the need for these providers to improve their own cybersecurity strategy and spending.