Cyber preparedness is an important factor in our analysis. We consider a commitment to cyber defense and the application of good cyber hygiene to be prerequisites to mitigate cyber risks and to contain and recover from attacks when they are successful. Mar. 30, 2022
This report does not constitute a rating action
Michael P AltbergNew Yorkmichael.altberg@spglobal.com
Vishal H MeraniNew Yorkvishal.merani@spglobal.com
Mark HabibParismark.habib@spglobal.com
Raam RatnamLondonraam.ratnam@spglobal.com
The pace of digital adoption and decentralized workforces accelerated during the pandemic and amplified global issuers' reliance on technology and the scale of data stored, and therefore their vulnerability to a cyber incident. The growing sophistication and professionalization of attackers, combined with accelerated change and heightened geopolitical risk have increased the frequency of cyber incidents targeted to achieve specific goals (financial or strategic). As a result, the number of reported cyber incidents among nonfinancial corporate issuers has increased over the past several years, even though many incidents likely go undisclosed. According to Check Point Research, average weekly attacks per organization increased 53% in 2021 relative to 2020, with certain data-rich sectors experiencing even higher growth (see chart 1)
Most corporate issuers we rate have been able to manage the impacts of cyber incidents and subsequent rating actions as a direct result of an attack have been limited so far. Still, total negative rating actions where a cyberattack was a contributing factor more than doubled for 2020 and 2021, relative to the preceding two-year period. We believe this upward trend will likely continue given cyber risk is rapidly evolving and presents a growing risk to corporate credit quality.
We believe the increase in attacks will only continue as companies' digital ecosystems and interconnectivity expand and business applications shift to the cloud, amplifying the potential for criminals to exploit system and platform vulnerabilities across entities relying on similar infrastructure. Additionally, the decentralization of the workforce will likely remain permanent on some level as many companies adopt hybrid working models, expanding the attack surface of their networks and systems. Corporate sectors that have experienced the highest frequency of attacks—health care, technology, retail, and business services—tend to have a greater amount of sensitive customer and financial data and intellectual property (IP) that hackers can leverage for ransom or monetize externally (see chart 2).
The average loss per cyberattack, while varying greatly year to year, has been on an overall upward trend over the last few years based on reported disclosures. According to the IBM Corp., the average total cost of a data breach increased 10% in 2021. Losses have a high correlation to the quantity and sensitivity of compromised data and the sophistication of attacks. We believe this upward trend is only natural given the increasing digitization of customer records and content. Additionally, the average loss per incident is highest in many of the sectors that have the greatest frequency of cyberattacks, underscoring the potential credit implications for these sectors—such as financial losses, contingent liabilities, and business interruption (see chart 3).
The U.S.-based software company Guidewire reports that most publicly available cyber incidents at nonfinancial corporate entities are related to data breaches. The number of ransomware attacks has also risen rapidly in recent years with an increasing number of attacks using a double-extortion strategy, where following a data breach, the attackers threaten to publicly disclose or sell stolen data should companies not pay the ransom. Ransomware attacks can also target business interruption to demand payment. This expands potential targets beyond traditional data breach candidates, to companies with high exposure to operational downtime, as with attacks on food processor JBS S.A. and midstream utility Colonial Pipeline Co. in 2021.
There is a high correlation between monetary losses and the size of an issuer as measured by revenue (see chart 4). Companies with revenue in the $1 billion-$5 billion and $5 billion-$10 billion ranges have seen the largest increase in average losses per cyber incident. Revenue scale is likely correlated with the scale of data, along with valuable IP, manufacturing processes, and trade secrets, as well as the costs of business interruption. While we believe losses have been primarily the result of direct attacks on specific companies, given increased interconnectivity, even direct attacks can have unintended consequences for second and third parties. For example, while hackers sought to extract ransom in their attack on Colonial Pipeline Co., the incident had secondary effects on other entities, resulting in temporary fuel shortages and customer panic.
Additionally, we are seeing more attacks on software service providers that create systemic risk for entities using those services. The risk of systemwide attacks over the coming years will continue to grow as companies shift to the cloud and use common third-party tools, highlighting the need for all issuers to enhance their strategy and spending around cyber security.
The demand by governments and regulatory bodies for companies to disclose cyber incidents and ransomware payments is increasing. Particularly this relates to critical infrastructure and sharing this information in a timelier manner, which would help improve corporate and government cyber security posture. We expect laws relating to disclosure of cyber security incidents to be codified across various countries and grow over the coming years, beyond those already established such as General Data Protection Regulation (GDPR).
For instance, on March 15, 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) became a law requiring owners and operators of critical infrastructure to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransomware payments within 24 hours. The law tasks CISA to issue regulations specifying the types of cyber incidents that entities across 16 critical infrastructure sectors will have to report.
Separately, on March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed amendments to its rules to enhance and standardize disclosures regarding cyber security risk management, strategy, governance, and incident reporting by public companies. The proposed amendments would require, among other things, current reporting about material cyber security incidents and periodic reporting on policies and procedures to identify and manage cyber security risks; the board of directors' oversight of cyber security risk; management’s role and expertise in assessing and managing cyber security risk, and to provide updates about previously reported cyber security incidents.
In terms of insurance coverage, given the recent significant increases in the frequency and severity of cyber insurance claims, the insurance industry has improved its cyber risk management and is facing a period of portfolio optimization leading to heavy rate increases and adjustments in coverage and terms & conditions (see “Cyber Risk In A New Era: Reinsurers Could Unlock The Cyber Insurance Market”, published Sept. 29, 2021).
These trends are making cyber insurance in general more expensive but will increase the focus on risk differentiation by incorporating security standards and linking improvement in customers’ information security levels to pricing consideration. That means corporate entities with a more resilient cyber security strategy will receive more attractive insurance rates, which could help to incentivize policyholders to adopt better cyber hygiene. Additionally, cyber insurance providers can play an important role in improving cyber resilience of its policyholders by providing an ecosystem of cyber services—such as IT expertise, crisis management, data recovery—to prevent cyber claims, or investigate any attacks for a policyholder quickly. While such factors could help to improve cyber security over the long term, for now the cyber re/insurance market remains capacity constrained, with many insurance providers changing terms to restrict coverage for systematic risk such as those relating to compromised software infrastructure or cyberattacks deemed acts of war, having higher retention levels for corporates or coinsurance requirements for ransom payments, which could make it more challenging for companies to be fully compensated in such a scenario.
Cyber risk results from a combination of the hackers' goals, motivation, and capabilities (likely driven by the assets a company possesses or its importance to critical infrastructure) and the organization's cyber preparedness. As cyberattacks increase in sophistication and frequency, companies must embed cyber security into their risk-mitigation strategies to reduce their vulnerability. We consider the issuer's focus on and commitment to cyber defense and application of good cyber hygiene prerequisites to mitigate cyberattacks and in containing and remediating against losses when cyberattacks are successful. If we believe an issuer is not incorporating cyber risk mitigation strategies into their corporate governance, it could result in a lower rating than similarly positioned peers.
Cyberattacks could harm credit quality in the form of reputational risk, loss of customer and supplier relationships, as well as financial impacts resulting from operating shutdowns, liquidity constraints, investments to remediate infrastructure, investments in training, and regulatory and litigation costs. Although most issuers facing cyber incidents have so far had sufficient financial cushion with limited ratings impact, we believe cyber risk represents a growing threat and will likely pose greater downside risks on credit ratings over the coming years.
Our assessment of the company’s risk management aims to be forward looking and reflect its cyber readiness to prevent or minimize the potential losses. While cyber defenses may not provide full immunity from incidents, good cyber preparedness should help detect and respond to an incident sooner and likely mitigate losses. Further, we expect that cyber incidents will often shine a light on the lack of preparedness.
Our analysis of a company's strategy to prepare for, respond to, and recover from an attack leverages the National Institute of Standards and Technology (NIST) framework. We expect most issuers to put in place appropriate levels of cyber defenses to address each of the five core NIST framework functions:
Identify cyber risk: The issuer understands its external environment and has put in place a cybersecurity strategy that addresses key risks and allocates resources to govern and test the strategy as a part of its broader ERM framework. The issuer is knowledgeable of its physical and digital assets, dependencies on third parties, has set risk tolerances and created board accountability.
Protect assets: This entails implementing cyber hygiene practices such as firewalls, antivirus, and staff training. The issuer conducts regular systems access audits and has controls around financial payments.
Detect cyberattacks: Establish tools and processes to monitor systems and detect potential threats.
Respond and limit damage: Have a defined incident response plan that is frequently tested to contain & mitigate the impact of cyberattacks, communicate with the relevant stakeholders, and analyze the incident for lessons learned.
Recover: Restoring data from backups, reconfiguring systems, or using other means of regaining systems access, communicating to key stakeholders, and incorporating lessons learnt into their risk-management policies and practices.
In assessing cyber preparedness, we attempt to understand whether a formally documented cyber security strategy exists and whether the issuer routinely measures its effectiveness and maturity. If a financial sponsor owns the company, we try to understand whether cybersecurity is something the financial sponsor focuses on and of its level of cyber expertise. Further, we try to understand, who is ultimately responsible for the company’s cyber security, how does the company allocate its budget toward cyber security, whether the company benefits from any cyber expertise on its board, and whether it has put in place appropriate levels of cyber insurance and considered exceptions arising from systemic risk in its policy.
Within our Corporate Methodology framework (see below), we factor cyber risk into our management & governance (M&G) assessment, typically under “comprehensiveness of risk management standards and tolerances”, although other areas of our management and governance assessment could become relevant, such as board effectiveness, management culture, or other management and governance considerations (see M&G criteria). For example, Yahoo’s data breaches in 2013 and 2014 were disclosed by the company in the second half of 2016, which at that time in our view was an example of poor management preparedness, disclosure, and response to a cyberattack. These breaches collectively impacted almost its entire 3 billion userbase and resulted in lawsuits, regulatory investigations, and a $350 million reduction in the company’s acquisition price by Verizon.
Following a cyberattack, we would, if material, capture the credit impact on a company in various parts of the Corporate Ratings framework depending on the type, severity, and longer-term effects of the incident. For example:
We view cyber risk first as a governance risk factor and typically capture it through our assessment of risk management, culture, and oversight
As we note in our methodology (“Environmental, Social, And Governance Principles In Credit Ratings,” Oct. 10, 2021), we view cyber risk first as a governance risk factor and typically capture it through our assessment of risk management, culture, and oversight. Our ESG governance indicator in the G-3 to G-5 range reflects our view of how relevant and material the impact of inadequate governance is on an issuer's creditworthiness. Cyberattacks could also be reflected as a social risk factor (for example, social capital) to the extent that the incident impacts customer privacy and has material negative reputational consequences affecting stakeholder relationships or triggering important penalties from regulators. For example, the Equifax data breach resulted in the loss of consumer names, social security numbers, birth dates, and addresses amongst other data for about 147 million people and eventually resulted in a settlement payment in excess of $700 million, and increased costs and investments that led us to downgrade the company to 'BBB' from 'BBB+' in March 2019. In rare cases, cyber-related social factors could be a positive consideration in our credit rating analysis, such as for cyber security software providers like CrowdStrike Holdings Inc.
Within the context of ratings, we focus on elements of cyber security that are relevant and material for the assessment of credit risk for our rated issuers. We leverage our interactions with issuers to identify their commitment and prioritization of cybersecurity in their overall risk management efforts.
Further, we strive to identify, compare, and contrast structural and operational steps issuers take compared with the broader rated universe. While most of the credit rating actions to date have arisen after a cyberattack, we believe the level of cyber risk preparedness is likely uneven across corporate issuers and sectors and will become increasingly important in our analysis of issuers' management and governance.
