News built for finance pros
CFO Brew helps finance pros navigate their roles with insights into risk management, compliance, and strategy through our newsletter, virtual events, and digital guides.
How long before “cyber hygiene” appears as a line on your credit report?
Cyberattacks can hurt an organization’s creditworthiness, and factors such as attack severity and the company’s profile play a role in how severe that impact is, according to a new report from Moody’s.
“Cyber incidents have not historically had much effect on credit quality, but the potential for adverse credit effects is rising as attacks evolve,” according to the report, entitled “Not all cyberattacks are created equal.”
Of course, no organization wants to fall victim to a cyberattack. But, in the (seemingly inevitable) event that an attack happens, those with higher liquidity and lower levels of debt are better suited to weather the storm, Moody’s noted.
Moody’s noted that it has only downgraded organizations’ ratings following a cyber incident 19 times, “despite a dramatic increase in cyberattacks over the last 10 years.” Of those downgrades, 10 “cited low liquidity in the credit opinion, and nine cited high leverage.” Companies already experiencing other financial shocks (say, a global pandemic) or those that don’t have diverse revenue streams are also more vulnerable, according to the report.
A company can lose money from a cyberattack from business disruption, loss of customers who move to another supplier, or theft of intellectual property. Costs associated with cyber events include, among other things, incident management and response, credit monitoring services, higher cyber liability insurance premiums, and legal defense.
With the myriad cost implications, it isn’t hard to imagine how a cyber event “can strain liquidity, impacting short-term cash flow,” as Moody’s noted. Cyber events are expensive; companies can find themselves writing checks because of fines from regulators, legal settlements, or find out that their cybersecurity bills have increased.
Cautionary tale. Moody’s used Equifax as an example of what could happen to a company’s creditworthiness. After the credit bureau suffered a data breach exposing 145 million Americans’ data in 2017, it forked over $690 million in 2019 to resolve class-action lawsuits and regulatory investigations, and also spent $1.5 billion over three years to beef up its security.
These costs “continued to weigh on free cash flow” and “drove debt levels higher,” according to the report. About two years after the attack, Moody’s downgraded its rating outlook for Equifax from stable to negative, and in 2020 downgraded it from Baa1 (moderate risk) to Baa2 (slightly more risk).