The cyber threat to corporate issuers is predominantly concentrated in sectors that have critical infrastructure systems that are highly sensitive to business interruption or have extensive and sensitive customer data, technology, or intellectual property.Nov. 07, 2022
This report does not constitute a rating action
Mark HabibParismark.habib@spglobal.com
Michael P AltbergNew Yorkmichael.altberg@spglobal.com
Raam RatnamLondonraam.ratnam@spglobal.com
Vishal H MeraniNew Yorkvishal.merani@spglobal.com
In our previously published cyber risk commentary, "How Cyber Risk Affects Credit Analysis For Global Corporate Issuers", we discussed the growing risk of cyberattacks to nonfinancial corporates. While not a material driver of credit rating actions to date, we noted the rising nature of the threat, both in terms of frequency and monetary impact. We emphasized the importance of preparation through robust cyber hygiene and described the key elements of our ratings framework that could be negatively affected by cyberattacks or weak cyber risk preparedness.
We have since surveyed our senior corporate sector specialists to gauge their view of the cyber threat facing corporates today. We have also compiled certain case studies of past cyber incidents across geographies and industries, to highlight the wide range of impacts on global corporate issuers and to what extent they could affect credit quality.
Cyber risk vulnerability for nonfinancial corporates varies across sectors, although no sector is completely immuneWhen we look at cyber risk for nonfinancial corporates, the landscape is particularly varied across sectors. Even within a particular industry, company-specific risks vary greatly because of business model, geographical presence, and size and scale. These factors have significant implications in terms of companies' adoption of technology, cyber hygiene, and ultimately shaping their exposure to cyber risk.
To gauge relative cyber risk across industries, we surveyed our global industry sector specialists and asked them to categorize the current threat level (e.g., probability of cyberattacks occurring) based on their views of the characteristics of the industry (such as data and IP assets, technological complexities, social presence, operational exposures, etc.; see chart 1). The chart illustrates analysts' assessment of the industry's risk exposure or risk of experiencing a cyberattack or incident. This differs from the potential credit impact following a cyberattack, which we study further in the subsequent section.
The themes that dominate the higher-risk group include extensive use of payment processing systems and personal financial data (retail and restaurants), valuable IP (pharmaceuticals), sensitive personal data and infrastructure (technology, health care) and infrastructure and control system attacks (telecoms, technology, utilities). The industries perceived to be less vulnerable tend to have comparatively lower value-added or commoditized products, IP-related risk, and generally limited reliance on high-end technology and lower public network touchpoints (for example real estate, chemicals, and forest and paper products).
When we compare our survey data with reports from third-party surveys or sources (e.g., Guidewire), we see similar results where sectors like technology, health care, telecoms, and retail and restaurants, are often more significantly exposed to cyber risks. As chart 2 illustrates, this could be particularly relevant to a sector like health care because on average, companies with higher leverage and lower free operating cash flow (FOCF) to debt would have less financial flexibility to absorb financial losses or operational disruption from cyberattacks.
To date, rating actions where cyber risk has led to direct or indirect credit deterioration, have been relatively low. That said, monetary losses stemming from cyberattacks have been on an overall upward trend over the last few years based on reported disclosures. According to IBM Security, the average cost of a data breach event was $4.35 million in 2022, up roughly 12.7% since 2020. This study looked at data breach incidents that did not exceed 102,000 data records. However, the risk of more severe black swan events such as the cyberattacks that occurred at Equifax, Capital One, or Facebook are also ever present, heightening the need for strong cyber defenses among the most exposed industries. To examine this risk, we used Guidewire's tail-value-at-risk calculation that measures the weighted average loss for the 40 most severe simulations in Guidewire's model. Based on this calculation, losses as a percent of revenue range from less than 1% to over 4% for global nonfinancial corporate sectors. On average, sectors rich in personal and financial data, IP, and operational technologies, such as media, entertainment and leisure, retail & restaurants, and telecommunications would experience the greatest losses as a percent of revenue under severe scenarios (see chart 3). While these severe estimated losses are based on low-probability events (e.g., less than 1%), companies with higher exposure and critical assets should prepare for extreme cases within their response and recovery plans.
We asked our sector specialists to give their rankings of the main risks arising from a cyber incident for the companies in their sector. Most of our credit analysts and sector specialists ranked business interruption as the most material and significant risk followed by damage to brands (see chart 4). Ransomware payments and regulatory fines are considered relatively more manageable risks, at least from a credit perspective. This is mainly because monetary losses related to ransom payments and regulatory fines—except for rare cases—have been relatively modest to date when compared with an issuer's financial resources. That said, fines have been increasing over the last several years, especially in the European Union (EU) since the enactment of new privacy laws (General Data Protection Regulation) in 2018, where penalties could now reach up to 4% of a company's global annual revenue.
However, unlike one-time monetary payments, business interruption or damage to brands could have more severe and longer lasting consequences in terms of lost revenue, loss of customer trust and attrition, negative impact on business relationships, and weakener competitive positions relative to peers.
Key risks also vary based on sector-specific characteristics (see chart 5). For example, sectors that rely less on technology to run their operations, such as real estate, see the greatest risk from ransomware payments. Business interruption is a material risk across several sectors including specialized sectors such as health care services and pharmaceuticals and sectors dealing with high customer numbers such as retail and consumer goods, utilities, and transportation. Commodity-based sectors like oil and gas and forest and paper products are also most affected by business interruption risk but see relatively see lower risk of damage to brand reputation arising from a cyberattack.
The growing number and sophistication of attackers has increased the frequency of cyber incidents. As a result, the number of reported cyber incidents among nonfinancial corporate issuers has increased over the past several years, even though many incidents likely go undisclosed.
We selected seven examples for case studies across different sectors and regions to illustrate the key factors that play into our assessment of the credit impact following a cyber incident. We highlight Colonial Enterprises Inc., JBS S.A., SolarWinds Holdings Inc., T-Mobile US Inc., Travelex Holdings Ltd., Toyota Motor Corp., and Viasat Inc. Through these case studies we also aim to highlight:
These case studies also highlight that while cyber defenses may not provide full immunity from incidents, good cyber preparedness and decisive management action helps detect and respond to an incident sooner and mitigate losses. At the other end of the spectrum, cyber incidents often shine a light on the lack of preparedness. Each of these case studies illustrate S&P Global Ratings' approach in considering the issuer's focus and commitment to containing and remediating against losses when cyberattacks are successful (the ratings included are as of Nov. 7, 2022).
Rating: A/Stable/--Sector: Midstream UtilitiesAttack type: RansomwareRating considerations: Cash flow/leverage
Colonial reported a ransomware attack on May 7, 2021. The company temporarily halted operations and took certain systems offline to contain the threat—it shut down 5,500 miles of pipeline, leading to a disruption of nearly half of the East Coast fuel supply and causing gasoline shortages. The company also engaged a third-party cyber security firm to support it through this process at a cost of roughly $5 million.
Colonial had periodically endured temporary curtailments for one-off events such as hurricanes or pipeline spills, without a credit deterioration. Volumes for certain refined products were also already running lower than 2019 levels because of the COVID-19 pandemic. Gasoline and jet fuel demand were just beginning to recover to pre-pandemic levels, further mitigating the impact. As a result, the incident did not materially alter our 2021 base-case forecast of an adjusted debt-to-EBITDA ratio of 3x-3.5x or breach our downgrade trigger of sustained leverage above 3.5x.
Following the cyberattack, Colonial employed additional cybersecurity measures to protect its IT systems and recovered a significant portion of the total costs related to the incident from insurance. We estimate the total cost of the incident had no material impact on the company's cash flow profile. However, the company is currently subject to three class action lawsuits that may cause additional liabilities.
The event highlighted the vulnerability of critical infrastructure to cyberattacks, especially as operations become more digitized. Some companies may have business interruption insurance that could mitigate such events. While this event didn't immediately affect credit quality, prolonged reduced operations could resonate throughout the energy landscape. It also highlighted the potential spill over effects that cyberattacks could have on third parties and related end markets. This contributed to congressional passage of new cyber requirements for critical infrastructure firms, obligating them to alert the government within three days of a cyberattack and within one day if ransom is paid.
Rating: BBB-/Stable/--Sector: Consumer ProductsAttack type: RansomwareRating considerations: Management/Governance
On May 30, 2021, JBS USA Lux S.A. reported its systems were attacked in a ransomware incident. Its U.S. beef and Australian operations were affected, representing 40%-45% of JBS' revenue and EBITDA in the prior 12 months. It estimated that 20% of its U.S. plants were offline after the ransomware attack, but it didn't affect the Mexican and U.K. operations that are also under JBS USA Lux. The company's quick action, robust technological systems, and support from the White House, the USDA, and FBI enabled it to rapidly resolve the situation. Production resumed completely one day after the attack, and according to the company there was no data breach or privacy leak. In our view, the impact of the cyber incident did not have any material impact on the company's market standing, cash position, or cash generation.
There was no ratings impact largely because of the company's sufficient balance sheet cushion (see "JBS S.A. Upgraded To 'BBB-' From 'BB+' On Longer Record Of Improved Governance Standards, Outlook Stable", June 2, 2021). Given the procurement dynamics of the U.S. beef industry with record high margins at the time, we believed even higher profitability would mitigate the impact of lost volumes if the temporary shutdown led to higher prices. Volumes were quickly restored and market prices were not affected, with no lasting impact on JBS' credit metrics and cash generation.
At the time, we assessed JBS' management and governance (M&G) assessment as weak because of corruption scandals involving the company and its owners in 2017 that led JBS to refinance all its bank debts. For the past several years, JBS has consistently implemented stronger control scrutiny, added senior positions in compliance and risk, and exhibited more conservative financial policy to contain leverage, including its strategic approach to M&A and shareholders' remuneration. JBS' owners that were involved left the company and it increased the number of independent board members and market professionals in the executive team. Family members still hold senior positions, but we believe there is less reliance on key personnel for strategic decisions.
Because of the above, we have revised our M&G assessment to fair from weak in June 2022, which led us to raise the rating to 'BBB-' from 'BB+'. In our view, the fair assessment indicates ongoing improvements but still reflects weaker governance and risk controls when compared to other industry peers.
Rating: B/Stable/--Sector: Tech SoftwareAttack type: MalwareRating considerations: Competitive position and cash flow/leverage
On Dec. 14, 2020, SolarWinds Holdings Inc. reported a malware cyberattack (Sunburst breach) that inserted a vulnerability into its Orion monitoring products, allowing the compromise of servers on which Orion products run. The vulnerability was inserted into updates released between March and June 2020. Orion products represented 45% of its total revenues. Of the more than 300,000 SolarWinds customers, 33,000 were active maintenance customers of Orion. The company estimated fewer than 18,000 customers had installed the version of Orion that contained the vulnerability.
On Dec. 22, 2020, we placed our rating on SolarWinds on CreditWatch with negative implications, as new information indicated the potential for serious harm to affected clients. We specifically noted an increased negative risk to new sales and of attrition in the existing customer base.
In April 2021, we downgraded SolarWinds Holdings Inc. to 'B' with a stable outlook, with the cyber incident a contributing factor. Although the company managed the incident well, facilitating recovery and remediation through proactive communication, it nonetheless resulted in lower revenue growth, higher costs, and lower profitability in 2021. At the time, we forecasted a decline in its renewal rates (dropping to the low-80% area from the low-90% area prior to the Sunburst breach) and up to $25 million of annual costs to boost its security initiatives. These contributed to an increase in S&P Global Ratings'-adjusted gross debt to EBITDA to above 6x, along with the divestment of N-able, its managed service provider business. Almost two years on, while renewal rates have ticked up to historical (pre-breach) levels, the company continues to face growth headwinds due to the lingering effects of the breach on net new business. The breach remains a materially negative social factor in our consideration of credit-relevant ESG risks in our rating, weighing on our assessments of the company's competitiveness and financial performance.
Rating: BBB-/Positive/--Sector: TelecomAttack type: Data breachRating considerations: Competitive position, cash flow/leverage, liquidity, and management and governance
On Aug. 16, 2021, T-Mobile reported a data breach, estimating that about 7.8 million post-paid accounts, or about 30% of its total post-paid subscriber base at the time were affected, as well as 40 million records of former and prospective customers. The data, which included names, phone numbers, addresses, birth dates, social security numbers, and driver's license information, was stolen and offered for sale. T-Mobile disclosed that it was working with Mandiant to develop a strategic plan to boost its overall cybersecurity. KPMG was also instructed to review T-Mobile's security policies to identify any gaps and areas that needed to be improved.
The cyberattack had no ratings impact as the company had sufficient financial flexibility to absorb the near-term costs associated with the data breach, including robust liquidity and cash flow generation (see "The Recent Cyberattack On T-Mobile US Could Hurt Its Reputation And Make It More Difficult To Attract Postpaid Customers", Aug. 31, 2021). Indeed, this allowed the company to absorb $350 million in lawsuit settlement costs and a requirement to invest $100 million annually to upgrade network protection capability without a material credit impact.
However, we added that the incident posed potential reputational risk for T-Mobile given the scope of the data breach. In our view, the most significant longer-term risk for T-Mobile was the potential loss of confidence of its existing customers in the security of their personal information and the possibility of higher churn to other carriers and fewer gross subscriber additions, especially in its high-margin post-paid segment. The attack also raised our concern about T-Mobile's ability to address its risks and whether it had a sufficiently comprehensive cybersecurity strategy.
That said, the cyberattack ultimately did not affect operating or financial performance. In fact, during the second quarter of 2022, T-Mobile reported service revenue growth of 6%, post-paid phone net adds of 723,000, and record low post-paid phone churn of 0.8%. Furthermore, on Aug. 5, 2022, we raised the issuer credit rating on T-Mobile to 'BBB-' with a positive outlook based on performance and improving credit metrics.
Rating: Not ratedSector: Travel and LeisureAttack type: MalwareRating considerations: Competitive position, Cash flow/leverage, Liquidity, and Management/Governance
On Jan. 2, 2020, U.K.-based Travelex Holdings Ltd. reported a malware attack had compromised its online services requiring it to take its systems offline. The malware primarily affected Travelex's online service segment, and the decision to take the system offline as a precautionary measure consequently affected online services including those of its customers such as Tesco, Sainsbury's, HSBC, and Virgin Money. Besides the breaches of service level agreement terms with its customers, reputational damage from this incident had the potential to affect Travelex's market standing and its ability to successfully renew outsourcing contracts.
On Jan. 9, 2020, we put our ratings on Travelex on CreditWatch with negative implications (see "Travelex Holdings Ltd. 'B-' Ratings Placed On CreditWatch Negative On Cyber Attack Disruption"). While the full extent of the disruption wasn't known at that point, we commented that the disruption would affect Travelex's reputation and brand and raised concerns about the strength and adequacy of its governance and internal controls. We revised Travelex's management and governance assessment to weak from fair based on the time involved to resolve the breach and the reputational damage sustained through public media coverage of the incident. With Travelex's highly leveraged stand-alone capital structure and its rating headroom reduced, the scale and extent of the cyberattack also raised questions about its creditworthiness on a stand-alone basis.
We downgraded Travelex to 'CCC' on March 4, 2020, based on knock-on effects of the ransomware attack combined with lower transaction volumes from COVID-19, reducing underlying EBITDA for the first quarter of 2020 by £25 million. The company successfully restored all its customer-facing systems in a phased and controlled program, reducing the effect of the malware for the rest of the year. The company recovered some of the cost through a cyber-insurance policy. That said, the timing of the insurance payments and any regulatory implications of these attacks wasn't determined at the time of this rating action. We also commented that the COVID-19 disruption and its effect on full-year earnings could lead to a deeply unsustainable capital structure.
Rating: A+/Stable/--Sector: AutomotiveAttack type: MalwareRating Considerations: Competitive position and cash flow/leverage
On March 1, 2022, Toyota was forced to suspended operations on all of its 28 lines at 14 domestic plants in Japan, including the plants at its subsidiaries Daihatsu Motor Co. Ltd. and Hino Motors Ltd. The suspension lasted for a day because of a malware attack on one of its domestic suppliers, Kojima Industries Corp.
The impact was relatively limited as Toyota was able to dispatch a support team to help Kojima resolve its system issues. In all, the production of about 13,000 vehicles were affected, compared to global sales of more than 9.6 million in fiscal 2021 (ended March 31, 2022). Had the production outage lasted longer, Toyota could have experienced a more meaningful decline in cash flows.
Despite the limited impact, the malware attack highlights potential vulnerabilities within a rated issuer's supply chain. As supply chains become increasingly complex, and an important competitive differentiator, companies will find it more difficult to manage cyber risks across the value chain. Attackers need only find vulnerabilities at smaller suppliers with weak cyber defenses to cause material disruption across the supply chain.
The cyberattack also highlights the need for greater vigilance in the Asia-Pacific region. Though cyberattacks are more widely disclosed in the U.S. and Europe, high-profile cyberattacks have increased in Asia in the past year.
Rating: BB-/Stable/--Sector: TelecomAttack type: Denial of serviceRating considerations: Competitive position, cash flow/leverage, and liquidityIn
February 2022, Viasat's KA-SAT network (its satellite over Europe, the Middle East, and Africa) was subject to a denial-of-service (DoS) cyberattack that resulted in a partial interruption to its consumer broadband service. The attack, which was first reported in March 2022, was isolated to a consumer-focused part of its KA-SAT network affecting a minority of its users, including several thousand customers located in Ukraine and tens of thousands of fixed-broadband customers across Europe. The attack did not affect users on Viasat's other networks. The KA-SAT network, which Viasat had acquired in 2021, was managed by Skylogic, a subsidiary of Eutelsat S.A. Viasat stabilized the network in the days following the attack and continued to provide broadband service to its customers. Still, the breach garnered global media attention due to speculation that the attack had emanated from Russian hackers attempting to disrupt communications during Russia's invasion of Ukraine.
In April 2022, we commented that the attack would not have a material impact on Viasat's creditworthiness and that there was no ratings impact, though we would monitor the company's operating performance over the coming quarters to determine whether the incident led to increased customer attrition or lower bookings (see "Viasat Inc.'s Creditworthiness Will Likely Be Unaffected By The Recent Cyberattack Against Its KA-SAT Network").
We concluded there would be no immediate credit impact because we expected limited revenue losses from the service interruption since the vast majority of Viasat's global customer base was unaffected, and the company was in the process of restoring service to those affected. In addition, we expected only a modest increase in Viasat's operating costs to resolve the incident, mostly related to shipping and testing costs associated with replacing customer equipment. As a result, we expected Viasat to maintain credit metrics that supported the rating. Further, because Viasat was operating under a transition agreement with Skylogic to operate and support the ground segment operations of the KA-SAT network at the time of the attack, we did not view the incident as indicative of a material deficiency in Viasat's risk management or governance practices. In addition, the fact that Viasat was not operating the network infrastructure reduced the risk of reputational damage, in our view.
Although we did not anticipate the incident would have a near-term effect on our rating on Viasat, we expected the company would incur additional costs over the long term such as higher insurance premiums for its cyber risk coverage, increased investment to implement enhanced security measures in its products and services, and potential litigation expenses. Still, we expected these costs would be modest and did not foresee them having a material effect on the company's credit metrics or business prospects.
