S&P Global Credit adds cybersecurity to the list of risk factors for evaluating credit scores and will use NIST standards for the evaluation process.
As cyberattacks and data breaches grow larger and more frequent, businesses that don’t build strong cybersecurity defenses can feel a direct financial hit even before hackers show up. In a report published on March 30S&P Global Ratings warned that “…companies that do not incorporate cyber risk mitigation strategies into their corporate governance and risk management frameworks could face rating pressure, even before an attack.”
S&P Global Ratings quoted Checkpoint Investigation which showed that average weekly cyberattacks per organization increased by 53% in 2021 compared to 2020, with even worse numbers for data-rich sectors. The agency noted that most companies that have suffered a cyberattack have been able to manage the impact without damaging credit ratings. At the same time, “negative rating actions in which a cyberattack was a contributing factor more than doubled for 2020 and 2021, relative to the previous two-year period.”
S&P analysts recommend that companies “incorporate cybersecurity into their risk mitigation strategies to reduce their vulnerability.” If the credit bureau decides that a company’s cyber risk mitigation strategies are not strong enough, this could result in a lower rating than similarly positioned companies.
A spokesman for the Institute of Internal Auditors said cyber-related risk is a very significant risk across all industries and sectors and that credit ratings are based on perceived organizational risk.
“All companies should be able to demonstrate that they have effective internal controls in place to minimize, react to, respond to, and recover from cybersecurity incidents,” the representative said. “Cybersecurity governance is most effective when a strong internal audit function that operates independently of management provides objective assurance.”
SEE: Nearly two-thirds of ransomware victims paid ransoms last year
S&P Global expects attacks to continue to grow due to the general migration to the cloud and decentralization of the workforce. Both of these trends expand the attack surface and open up new platform vulnerabilities.
Purandar Das, CEO and founder of Sotero, said the credit rating affected by the preparation and past claims related to the breaches is a great way to initiate meaningful action.
“Credit ratings impact both the bottom line and bottom line of a company,” Das said. “The company will absolutely pay attention to how your security stacks up and how much it could negatively affect your finances.”
Although most credit rating actions to date have followed a cyber attack, the S&P report suggests that “the level of cyber risk preparedness is likely to be uneven across issuers and corporate sectors and will become increasingly important in our analysis of the management and governance of issuers”.
Until recently, organizations have been able to ignore the impact of data breaches or loss, according to Das, but that luxury is disappearing due to consumer demands and new privacy regulations.
“Without heavy financial or legal penalties, companies have no motivation or drive to take data loss seriously,” he said. “They have relied on insurers to help defray some of the impact of a data breach or loss; obviously insurers are feeling the pinch of escalating claims and will begin to narrowly define their responsibilities.”
The S&P report notes that cyber insurance premiums are rising and companies with a more resilient cybersecurity strategy will get better rates that could incentivize better cyber hygiene.
How S&P Assesses Cyber Risk Preparedness
The credit bureau said it will use NIST standards to measure a company’s cybersecurity. The agency will consider how a company addresses these five main functions of the NIST framework:
- Identify cyber risk: The issuer understands its external environment and has implemented a cyber security strategy that addresses key risks and allocates resources to govern and test the strategy as part of its broader ERM framework. The issuer knows its physical and digital assets, third-party dependencies, has established risk tolerances, and created responsibilities on the board.
- Protect assets: This involves implementing cyber hygiene practices such as firewalls,
antivirus software and staff training. The issuer conducts regular audits of access to systems and has controls over financial payments.
- Detect cyber attacks: Establish tools and processes to monitor systems and detect
- Respond and limit damage – Have a defined incident response plan that is frequently tested to contain and mitigate the impact of cyber attacks, communicate with relevant stakeholders, and analyze the incident for lessons learned.
- Recover – Restore data from backups, reconfigure systems, or use other means to regain access to systems, communicate with key stakeholders, and incorporate lessons learned into your risk management policies and practices.
If a company suffers a cyberattack, S&P analysts would consider considering the impact of the attack on these elements of a credit rating:
- Competitive Position – A cyber incident could harm a company’s competitive position due to reputational damage, customer attrition, business interruption, or increased costs affecting profitability.
- Liquidity: A company’s liquidity position could be negatively affected due to financial losses from ransomware, security investments and payments to outside consultants, litigation, customer subsidies, etc.
- Cash Flow/Leverage: Increased operating costs or investments to address cyber deficiencies could have a negative impact on cash flow, reducing your profitability and increasing leverage.
- M&G: A cyber incident could expose material deficiencies in the comprehensiveness of company-wide risk management standards and tolerances, the effectiveness of the board, or other governance factors leading to a negative review of our M&G assessment and/or evaluations of ESG indicators.
Losses due to cyber attacks are on the rise
S&P Global analysts also expect the financial cost of these attacks to worsen, noting that “this upward trend is natural given the increasing digitization of customer records and content.” The authors also note that the sectors with the most sensitive data (healthcare and finance, to name just two) have the highest frequency of cyberattacks. Business problems that often result from a cyberattack, such as financial losses, contingent liabilities, and business interruption, also increase the risk to an organization’s credit rating.
SEE: “Browser in the Browser” attacks: Devastating new phishing technique emerges
Healthcare companies faced the largest increase in the average total cost of a data breach, with the financial impact exceeding $9 million in 2021, compared to $7 million in 2020. Hospitality and retail companies they also experienced significant increases in the average total cost of a data scope. with both sectors dealing with an average cost of more than $3 million per incident.
The report’s authors also point to the rise in attacks on software service providers, increasing systemic risk, and highlighting the need for those providers to improve their own cybersecurity strategy and spending.