For the first time ever, a major credit risk agency slashed a company’s credit rating due to a cyber breach. How can credit risk agencies improve their ability to assess cyber risk?
A New Era
On Wednesday, May 22, 2019, the impact of cyber risk reached a new watermark. Moody’s downgraded Equifax’s credit risk rating from “stable” to “negative,” the first time a cyber event has directly impacted a credit risk rating for any company. With the $50 billion stack of lawsuits aligned against Equifax (versus its $15B market cap), this downgrade amplifies the existential risk it faces.
“We are treating this with more significance because it is the first time that cyber has been a named factor in an outlook change,” said Joe Mielenhausen, a spokesperson for Moody’s. “This is the first time the fallout from a breach has moved the needle enough to contribute to the change.”
The ongoing volume and increasing magnitude of breaches threatens the financial stability of targeted organizations. Data disclosure is one type of damage, but the results of a breach extend well beyond that. Disrupting operations for a significant period escalates credit risk, it can cause great reputational damage, and it can even provoke derivative suits against the board and management for negligence and other forms of malfeasance.
Equifax isn’t the first time a breached company has experienced a significant impact, but it usually takes several years to peak. A 2017 study of breached public companies revealed these post-breach results:
- Growth in share price underperformed that of their peers.
- Breaches of highly sensitive data caused significantly greater losses in share price.
- After three years, the NASDAQ average outperformed breached companies by 40 percent.
Incorporating Cyber Risk into Credit Risk
Credit risk ratings deeply affect the ability to raise capital for operations. How is cyber risk currently incorporated into credit risk ratings? Understanding the general level of cyber risk associated with each sector is the core factor. For example, Moody’s assigns cyber risk levels to different sectors.
While general risk levels of sectors and subsectors are helpful, information about the specific level and effectiveness of mitigating policies and processes applied is vital. Internal information is lacking even from regulated industries and is especially difficult to extract from others.
Widely accepted cyber standards create the level playing field needed to accurately evaluate relative cyber risk. Frameworks like NIST CSF, ISO 27001, and others that have been “crosswalked” employ the best expertise derived from several thousand experts. Basing assessments upon them ensures meaningful “apples-to-apples” risk comparisons.
Without understanding internal measures taken, it’s difficult to see how credit rating agencies can incorporate cyber risk in to their ratings except at a gross level by subsector. Obtaining and incorporating internal, standard information about the specific cyber practices of each organization, like the standards-based data that Cybernance aggregates, would dramatically increase the accuracy and credibility of ratings.
SAFETY Act Liability Protection
A January New York Times article reported that the “former officers and directors of Yahoo agreed to pay $29 million to settle charges that they breached their fiduciary duties in their handling of customer data during a series of cyberattacks from 2013 until 2016.” The amount was recently increased to $117 million after a judge ruled that the settlement was inadequate. Carriers place caps on coverage to limit their aggregate risk, and the cost of maintaining adequate coverage is prohibitive for all but the largest entities, so most organizations carry inadequate insurance to protect them from a significant breach.
The SAFETY Act administered by the Department of Homeland Security offers a hedge against liability. It extends the government’s sovereign immunity from lawsuits to users of designated solutions from vetted and approved vendors. Users regularly managing cyber risk based on NIST CSF and FFIEC CAT using Cybernance, which carries a DHS “Qualified Anti-Terrorism Technology,” have the highest liability protection available.