Key Takeaways
- We have seen more credit-relevant cyber events in the last six months than in the previous six years.
- Almost all recent attacks involved ransomware demands and highlighted attackers' ability to choose targets without regard for geography or sector.
- To help mitigate the potential negative credit impact of cyberattacks, robust cybersecurity remains vital. There remains no substitute for a robust cybersecurity system, from internal governance to IT software.
- Other key factors that determine how well entities manage cyber risk include: prompt remedial action, active detection, C-Suite support including budget allocation, and a better understanding of risks arising from third-party providers or supply chains.
Given the increasing sophistication of cyberattacks over the past 12 months, cyber risk is a more relevant topic than ever before. At S&P Global Ratings, we have seen more credit-relevant cyber events in the last six months than in the previous six years, and we routinely reflect on recent cyber developments to sharpen our focus and to help us refine our forward-looking credit views.
Since our most recent look back, many of our previous opinions about cyber have been reinforced, but our perspective on how entities manage cyber risk continues to evolve (see Cyber Risk In A New Era: Remedy First, Prevent Second, published Sept. 17, 2020). However, it's not all about managing the risk. We're also seeing opportunities emerge in cyber services across many of our rated entities, particularly in information technology and insurance (see Sustained Demand For Cyber And IT Security Should Continue Supporting Exclusive Group's Performance, published Dec. 15, 2020).
The recent ransomware attack that shut down the Colonial Pipeline in the United States exemplifies the growing sophistication and potential ramifications of cyberattacks (see Cyber Attack Creates Some Uncertainty For Colonial Enterprises Inc., published May 10, 2021). Even since the Colonial attack, there have been attacks on rated entities involving the insurance sector in Asia, a European truck lease provider, a French distressed debt purchaser, and a global food company. All involved ransomware demands and highlighted attackers' ability to choose targets without regard for geography or sector.
Nor are attacks limited to listed firms: sovereign states, regional governments, and public institutions are acutely vulnerable, too. Over the last 12 months we have seen attacks on the U.S. city of Hartford and numerous Texas school districts, across municipal utility sectors, and, more recently, on the Irish healthcare system.
To help mitigate the potential negative credit impact of cyberattacks, robust cybersecurity remains vital. There remains no substitute for a robust cybersecurity system, from internal governance to IT software; these are our conclusions from analyzing recent attacks.
Looking Back To Look Forward
Swift action remains vital
We saw this most recently in the wake of the cyberattack on U.S. insurer, CNA. The company's prompt remedial actions--including communicating with employees, customers, brokers and agents, investors, and regulators--helped to limit the extent of the damage and mitigated our initial concerns about the potential impact on its brand, reputation, and competitive position. This cyberattack did not affect the ratings on CNA (see CNA Financial Corp.'s Quick Response To Cybersecurity Breach Has Not Hurt The Company's Brand Or Competitive Position, published March 26, 2021).
Active detection needs to become front and centre
Active prevention of cyber events remains important, but this is now becoming the norm. Moving forward, we expect to see a shift toward active detection. We believe this will be even more important as cyberattacks evolve, becoming more difficult to detect. We've seen that failure to detect attacks early can amplify the negative effects of an attack.
We saw the importance of active detection in the case of SolarWinds Holdings Inc., which is widely reported to have suffered a breach several months before the company noticed it. The time that elapsed from attack to detection increased the scale and magnitude of the event. The impact and cost of the 2020 attack contributed in part to the recent downgrade of SolarWinds to 'B' from 'B+' (see SolarWinds Holdings Inc. Downgraded To 'B' On N-Able Divestment And Sunburst Breach-Related Costs, Outlook Stable, published April 29, 2021)
Budget allocation is not the only measure of C-Suite support
Board members are increasingly in the spotlight with respect to cyber exposure and cyber risk management. Although the COVID-19 pandemic will likely increase senior executives' propensity to allocate funds to manage their firms' exposure to cyber risk, this cannot fully mitigate the risk, in our view. Given that such a large proportion of cyber-related breaches can be traced to a deficient risk culture or human error, even a sizable cyber IT spend is not sufficient. We therefore expect to see more C-suite support for simulation exercises to gauge and probe preparedness.
Motives matter
The credit impact in the wake of a cyberattack remains contingent on the type of attack, the scale and magnitude, even the type of target itself (depending on the importance of reputation for its business model), and the underlying attack motive. Companies or entities may suffer indirectly as a result of centralized, perhaps politically motivated attacks (such as the SolarWinds/Microsoft Exchange Server attacks), but these may not always have direct financial and reputational consequences. Direct attacks on specific companies or entities, which combine a balance-sheet event with material operational disruptions, are more likely to have ratings implications, particularly if they are poorly managed and result in reputational damage.
Getting the basics right to stay one step ahead
Companies or public institutions that have weak wider governance standards will likely already have a relatively lower credit rating, even prior to any cyberattack. This was the case for JBS S.A. prior to the recent cyberattack (see Ransomware Attack Exposes JBS S.A. To Short-Term Operating Disruptions And Long-Term Reputational Risks, published June 2, 2021). The ratings on JBS S.A. already incorporated a two-notch downward adjustment due to the weak management and governance score. We will increasingly watch out for weak cyber governance standards, especially a lack of basic cyber hygiene features such as employee training and software patching to reduce firms' potential exposure to known vulnerabilities that cyber attackers often attempt to exploit.
We regard the level of preparedness for, and management of, cyber risks as a category of overall operational risk management. Conventional risk management and governance protocols can easily translate to cyber so it is important to have a cyber risk appetite and tolerance level. If a company or entity cannot stay one step ahead, it must ensure that it does not fall behind its peers. At a minimum, we would expect a company to have a reliable and fully tested data back-up and recovery strategy as well as a well-rehearsed response plan.
Expect the (un)expected
The next major threat to the global financial system could easily be cyber related, with more correlated risk and more rapid contagion than suggested by historical experience. This is due to a global, digital interconnected ecosystem often with reliance on a concentrated number of cloud service providers. Entities and governments should plan accordingly. Depending on its magnitude and financial impact, such an event could trigger widespread rating actions. In our view, entities with weaker balance sheets that lack adequate cyber insurance or other means of liquidity to address financial impacts would be more vulnerable to potential rating actions.
Insurers themselves are learning from COVID-19-related ambiguity across their products (in particular due to unclear contract wording) and this must remain a focus to ensure that following a large scale global cyber event their exposure does not exceed the amount they were expecting.
The August 2020 cyberattack on New Zealand's Stock Exchange Market (NZX) may have been anticipated given the role the exchange plays in the financial system. NZX subsequently accepted that its technology resources and crisis-management planning required improvements.
Supply chain complexity poses a key source of risk
Events over the last 12 months have further highlighted the vulnerability of complex, interdependent networks, making supply chains an increasing source of cyber risk in the coming years. As a number of recent attacks--including those on SolarWinds, the Microsoft Exchange Server, and Codecov--and the 2013 data breach at Target Corp. have highlighted, cyber risk governance must focus on the wider supply chain, including cyber standards at third party providers.
Editor: Alexandria Vaughan.
Related Research
- Ransomware Attack Exposes JBS S.A. To Short-Term Operating Disruptions And Long-Term Reputational Risks, June 2, 2021
- Cyber Attack Creates Some Uncertainty For Colonial Enterprises Inc., May 10, 2021
- SolarWinds Holdings Inc. Downgraded To 'B' On N-Able Divestment And Sunburst Breach-Related Costs, Outlook Stable, April 29, 2021
- CNA Financial Corp.'s Quick Response To Cybersecurity Breach Has Not Hurt The Company's Brand Or Competitive Position, March 26, 2021
- Sustained Demand For Cyber And IT Security Should Continue Supporting Exclusive Group's Performance, Dec. 15, 2020
- Cyber Risk In A New Era: Remedy First, Prevent Second, Sept. 17, 2020
This report does not constitute a rating action.
Primary Credit Analyst: | Simon Ashworth, London + 44 20 7176 7243; simon.ashworth@spglobal.com |
Secondary Contacts: | Tiffany Tribbitt, New York + 1 (212) 438 8218; Tiffany.Tribbitt@spglobal.com |
Irina Velieva, Moscow + 7 49 5783 4071; irina.velieva@spglobal.com | |
Nik Khakee, New York + 1 (212) 438 2473; nik.khakee@spglobal.com | |
Manuel Adam, Frankfurt + 49 693 399 9199; manuel.adam@spglobal.com | |
Matthew S Mitchell, CFA, Paris +33 (0)6 17 23 72 88; matthew.mitchell@spglobal.com | |
Cristina Polizu, PhD, New York + 1 (212) 438 2576; cristina.polizu@spglobal.com | |
Lena Schwartz, RAMAT-GAN + 972-3-7539716; lena.schwartz@spglobal.com | |
Etai Rappel, RAMAT-GAN + 972-3-7539718; etai.rappel@spglobal.com | |
Geoffrey E Buswick, Boston + 1 (617) 530 8311; geoffrey.buswick@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw or suspend such acknowledgment at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain non-public information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.standardandpoors.com (free of charge), and www.ratingsdirect.com and www.globalcreditportal.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees.
Any Passwords/user IDs issued by S&P to users are single user-dedicated and may ONLY be used by the individual to whom they have been assigned. No sharing of passwords/user IDs and no simultaneous access via the same password/user ID is permitted. To reprint, translate, or use the data or information other than as provided herein, contact S&P Global Ratings, Client Services, 55 Water Street, New York, NY 10041; (1) 212-438-7280 or by e-mail to: research_request@spglobal.com.