Update: Cyber Risk Is Factored into Business Credit Ratings, Starting with Equifax

May 23, 2019  Jeff B. Copeland

Updating this post: Moody's has downgraded its outlook on Equifax's credit rating to "negative", following the release of Equifax's latest financials showing $690 million set aside to cover court judgments expected to result from its massive data breach of 2017, as well as high costs for continuing investments in IT security. "We're treating this with more significance because it is the first time that cyber has been named a factor in outlook change," a Moody's spokesperson told CNBC. "This is the first time the fallout from a breach has moved the needle enough to contribute to the change."

Read more: Equifax Data Breach Costs Make a Case for Proactive, Quantitative Cyber Risk Analysis

Moody’s Investors Service, a division of the major credit-rating agency, just named the four industry sectors most at risk for financial disaster resulting from cyber attack: banks, investment firms, securities exchanges and hospitals, all heavily reliant on technology, and holding $11.7 trillion in debt.

The report is part of a growing effort by Moody’s to “integrate the danger posed by cyber attacks into its broader advice about how creditworthy various companies and industry sectors are,”  The Washington Post reports. Two other agencies, S&P Global Ratings and Fitch Ratings are reportedly heading in the same direction.

Moody’s wants to fix a major gap, from a debt holder’s point of view: “How often key facts about a company’s cyber protections and vulnerabilities are unknown to creditors,” The Post reports.

The credit agency is particularly concerned about business disruption events, such as the NotPetya malware attacks of 2017 that stopped FedEx from delivering in Europe, halted Maersk cargo ships unloading worldwide and shut down a Cadbury chocolates production line in Australia.

The head of Moody’s Cyber Risk Group, Derek Vadala  told CNBC that the agency will also focus assessments on reputational hazards.

“We’re looking into different types of scenarios to get into the details of what might affect certain companies,” Vadala said. “…For those higher-risk sectors, there will be impact down to the individual issuer level over time.”

Moody’s hasn’t settled on just how it will rate credit for cyber risk – but take it as a warning and get out in front of this trend.

With the  RiskLens platform, organizations can identify and quantify their top cyber risks, their overall cyber risk, and even break risks down to focus on the reputational, all expressed in financial terms.

The analysis is also defensible because it’s based on the international standard for cyber risk quantification,  the FAIR model. So, if Moody’s or the Securities and Exchange Commission (which last year  tightened its cyber disclosure requirements for stock-issuing companies) want to talk cyber risk, you can answer with confidence.

Originally published March 1, 2019