Seven ways in which the credit relevance of cybersecurity has increased over the last five years, and why it is only increasing. July 14, 2021
This report does not constitute a rating action
Simon AshworthLondonsimon.ashworth@spglobal.com
Given the increasing sophistication of cyberattacks over the past 12 months, cyber risk is a more relevant topic than ever before. At S&P Global Ratings, we have seen more credit-relevant cyber events in the last six months than in the previous six years, and we routinely reflect on recent cyber developments to sharpen our focus and to help us refine our forward-looking credit views.
Since our most recent look back, many of our previous opinions about cyber have been reinforced, but our perspective on how entities manage cyber risk continues to evolve (see Cyber Risk In A New Era: Remedy First, Prevent Second, published Sept. 17, 2020). However, it’s not all about managing the risk. We’re also seeing opportunities emerge in cyber services across many of our rated entities, particularly in information technology and insurance (see Sustained Demand For Cyber And IT Security Should Continue Supporting Exclusive Group's Performance, published Dec. 15, 2020).
The recent ransomware attack that shut down the Colonial Pipeline in the United States exemplifies the growing sophistication and potential ramifications of cyberattacks (see Cyber Attack Creates Some Uncertainty For Colonial Enterprises Inc., published May 10, 2021). Even since the Colonial attack, there have been attacks on rated entities involving the insurance sector in Asia, a European truck lease provider, a French distressed debt purchaser, and a global food company. All involved ransomware demands and highlighted attackers’ ability to choose targets without regard for geography or sector.
Nor are attacks limited to listed firms: sovereign states, regional governments, and public institutions are acutely vulnerable, too. Over the last 12 months we have seen attacks on the U.S. city of Hartford and numerous Texas school districts, across municipal utility sectors, and, more recently, on the Irish healthcare system.
To help mitigate the potential negative credit impact of cyberattacks, robust cybersecurity remains vital. There remains no substitute for a robust cybersecurity system, from internal governance to IT software; these are our conclusions from analyzing recent attacks.
We saw this most recently in the wake of the cyberattack on U.S. insurer, CNA. The company’s prompt remedial actions--including communicating with employees, customers, brokers and agents, investors, and regulators--helped to limit the extent of the damage and mitigated our initial concerns about the potential impact on its brand, reputation, and competitive position. This cyberattack did not affect the ratings on CNA (see CNA Financial Corp.'s Quick Response To Cybersecurity Breach Has Not Hurt The Company's Brand Or Competitive Position, published March 26, 2021).
Active prevention of cyber events remains important, but this is now becoming the norm. Moving forward, we expect to see a shift toward active detection. We believe this will be even more important as cyberattacks evolve, becoming more difficult to detect. We’ve seen that failure to detect attacks early can amplify the negative effects of an attack.
We saw the importance of active detection in the case of SolarWinds Holdings Inc., which is widely reported to have suffered a breach several months before the company noticed it. The time that elapsed from attack to detection increased the scale and magnitude of the event. The impact and cost of the 2020 attack contributed in part to the recent downgrade of SolarWinds to ‘B’ from ‘B+’ (see SolarWinds Holdings Inc. Downgraded To 'B' On N-Able Divestment And Sunburst Breach-Related Costs, Outlook Stable, published April 29, 2021)
Board members are increasingly in the spotlight with respect to cyber exposure and cyber risk management. Although the COVID-19 pandemic will likely increase senior executives’ propensity to allocate funds to manage their firms’ exposure to cyber risk, this cannot fully mitigate the risk, in our view. Given that such a large proportion of cyber-related breaches can be traced to a deficient risk culture or human error, even a sizable cyber IT spend is not sufficient. We therefore expect to see more C-suite support for simulation exercises to gauge and probe preparedness.
The credit impact in the wake of a cyberattack remains contingent on the type of attack, the scale and magnitude, even the type of target itself (depending on the importance of reputation for its business model), and the underlying attack motive. Companies or entities may suffer indirectly as a result of centralized, perhaps politically motivated attacks (such as the SolarWinds/Microsoft Exchange Server attacks), but these may not always have direct financial and reputational consequences. Direct attacks on specific companies or entities, which combine a balance-sheet event with material operational disruptions, are more likely to have ratings implications, particularly if they are poorly managed and result in reputational damage.
Companies or public institutions that have weak wider governance standards will likely already have a relatively lower credit rating, even prior to any cyberattack. This was the case for JBS S.A. prior to the recent cyberattack (see Ransomware Attack Exposes JBS S.A. To Short-Term Operating Disruptions And Long-Term Reputational Risks, published June 2, 2021). The ratings on JBS S.A. already incorporated a two-notch downward adjustment due to the weak management and governance score. We will increasingly watch out for weak cyber governance standards, especially a lack of basic cyber hygiene features such as employee training and software patching to reduce firms’ potential exposure to known vulnerabilities that cyber attackers often attempt to exploit.
We regard the level of preparedness for, and management of, cyber risks as a category of overall operational risk management. Conventional risk management and governance protocols can easily translate to cyber so it is important to have a cyber risk appetite and tolerance level. If a company or entity cannot stay one step ahead, it must ensure that it does not fall behind its peers. At a minimum, we would expect a company to have a reliable and fully tested data back-up and recovery strategy as well as a well-rehearsed response plan.
The next major threat to the global financial system could easily be cyber related, with more correlated risk and more rapid contagion than suggested by historical experience. This is due to a global, digital interconnected ecosystem often with reliance on a concentrated number of cloud service providers. Entities and governments should plan accordingly. Depending on its magnitude and financial impact, such an event could trigger widespread rating actions. In our view, entities with weaker balance sheets that lack adequate cyber insurance or other means of liquidity to address financial impacts would be more vulnerable to potential rating actions.
Insurers themselves are learning from COVID-19-related ambiguity across their products (in particular due to unclear contract wording) and this must remain a focus to ensure that following a large scale global cyber event their exposure does not exceed the amount they were expecting.
The August 2020 cyberattack on New Zealand’s Stock Exchange Market (NZX) may have been anticipated given the role the exchange plays in the financial system. NZX subsequently accepted that its technology resources and crisis-management planning required improvements.
Events over the last 12 months have further highlighted the vulnerability of complex, interdependent networks, making supply chains an increasing source of cyber risk in the coming years. As a number of recent attacks--including those on SolarWinds, the Microsoft Exchange Server, and Codecov--and the 2013 data breach at Target Corp. have highlighted, cyber risk governance must focus on the wider supply chain, including cyber standards at third party providers.
