Key Takeaways
- The rapid pace of digitization and interconnectivity have led to an increase in the frequency and severity of cyberattacks, resulting in greater monetary losses for corporate entities.
- Total negative rating actions where a cyberattack was a contributing factor while modest, more than doubled for 2020 and 2021, relative to the preceding two-year period—a trend we expect will continue.
- Cyber preparedness is an increasingly important emerging risk factor in our analysis and companies that do not incorporate cyber risk mitigation strategies into their corporate governance and risk management frameworks could face ratings pressure, even before an attack.
- Sectors with extensive and sensitive customer data, like technology, health care, education, business services, and retail, have been more frequent targets, but the growing prevalence of ransomware is a risk for all sectors.
- Demand for cyber insurance has been increasing but limited cyber insurance capacity on the supply side is leading to rapidly rising premiums, and adjustments in coverage, terms, and conditions
The Scale And Scope Of Cyber Risk Is Growing
The pace of digital adoption and decentralized workforces accelerated during the pandemic and amplified global issuers' reliance on technology and the scale of data stored, and therefore their vulnerability to a cyber incident. The growing sophistication and professionalization of attackers, combined with accelerated change and heightened geopolitical risk have increased the frequency of cyber incidents targeted to achieve specific goals (financial or strategic). As a result, the number of reported cyber incidents among nonfinancial corporate issuers has increased over the past several years, even though many incidents likely go undisclosed. According to Check Point Research, average weekly attacks per organization increased 53% in 2021 relative to 2020, with certain data-rich sectors experiencing even higher growth (see chart 1)
Most corporate issuers we rate have been able to manage the impacts of cyber incidents and subsequent rating actions as a direct result of an attack have been limited so far. Still, total negative rating actions where a cyberattack was a contributing factor more than doubled for 2020 and 2021, relative to the preceding two-year period. We believe this upward trend will likely continue given cyber risk is rapidly evolving and presents a growing risk to corporate credit quality.
Chart 1
Cyberattacks will likely rise, and no sector is immune
We believe the increase in attacks will only continue as companies' digital ecosystems and interconnectivity expand and business applications shift to the cloud, amplifying the potential for criminals to exploit system and platform vulnerabilities across entities relying on similar infrastructure. Additionally, the decentralization of the workforce will likely remain permanent on some level as many companies adopt hybrid working models, expanding the attack surface of their networks and systems. Corporate sectors that have experienced the highest frequency of attacks—health care, technology, retail, and business services—tend to have a greater amount of sensitive customer and financial data and intellectual property (IP) that hackers can leverage for ransom or monetize externally (see chart 2).
Chart 2
Losses from cyberattacks are trending upward
The average loss per cyberattack, while varying greatly year to year, has been on an overall upward trend over the last few years based on reported disclosures. According to the IBM Corp., the average total cost of a data breach increased 10% in 2021. Losses have a high correlation to the quantity and sensitivity of compromised data and the sophistication of attacks. We believe this upward trend is only natural given the increasing digitization of customer records and content. Additionally, the average loss per incident is highest in many of the sectors that have the greatest frequency of cyberattacks, underscoring the potential credit implications for these sectors—such as financial losses, contingent liabilities, and business interruption (see chart 3).
Chart 3
Hackers are increasingly focusing on financial gains
The U.S.-based software company Guidewire reports that most publicly available cyber incidents at nonfinancial corporate entities are related to data breaches. The number of ransomware attacks has also risen rapidly in recent years with an increasing number of attacks using a double-extortion strategy, where following a data breach, the attackers threaten to publicly disclose or sell stolen data should companies not pay the ransom. Ransomware attacks can also target business interruption to demand payment. This expands potential targets beyond traditional data breach candidates, to companies with high exposure to operational downtime, as with attacks on food processor JBS S.A. and midstream utility Colonial Pipeline Co. in 2021.
There is a high correlation between monetary losses and the size of an issuer as measured by revenue (see chart 4). Companies with revenue in the $1 billion-$5 billion and $5 billion-$10 billion ranges have seen the largest increase in average losses per cyber incident. Revenue scale is likely correlated with the scale of data, along with valuable IP, manufacturing processes, and trade secrets, as well as the costs of business interruption. While we believe losses have been primarily the result of direct attacks on specific companies, given increased interconnectivity, even direct attacks can have unintended consequences for second and third parties. For example, while hackers sought to extract ransom in their attack on Colonial Pipeline Co., the incident had secondary effects on other entities, resulting in temporary fuel shortages and customer panic.
Additionally, we are seeing more attacks on software service providers that create systemic risk for entities using those services. The risk of systemwide attacks over the coming years will continue to grow as companies shift to the cloud and use common third-party tools, highlighting the need for all issuers to enhance their strategy and spending around cyber security.
Chart 4
Regulatory scrutiny and insurance premiums are growing
The demand by governments and regulatory bodies for companies to disclose cyber incidents and ransomware payments is increasing. Particularly this relates to critical infrastructure and sharing this information in a timelier manner, which would help improve corporate and government cyber security posture. We expect laws relating to disclosure of cyber security incidents to be codified across various countries and grow over the coming years, beyond those already established such as General Data Protection Regulation (GDPR).
For instance, on March 15, 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) became a law requiring owners and operators of critical infrastructure to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransomware payments within 24 hours. The law tasks CISA to issue regulations specifying the types of cyber incidents that entities across 16 critical infrastructure sectors will have to report.
Separately, on March 9, 2022, the U.S. Securities and Exchange Commission (SEC) proposed amendments to its rules to enhance and standardize disclosures regarding cyber security risk management, strategy, governance, and incident reporting by public companies. The proposed amendments would require, among other things, current reporting about material cyber security incidents and periodic reporting on policies and procedures to identify and manage cyber security risks; the board of directors' oversight of cyber security risk; management's role and expertise in assessing and managing cyber security risk, and to provide updates about previously reported cyber security incidents.
In terms of insurance coverage, given the recent significant increases in the frequency and severity of cyber insurance claims, the insurance industry has improved its cyber risk management and is facing a period of portfolio optimization leading to heavy rate increases and adjustments in coverage and terms & conditions (see "Cyber Risk In A New Era: Reinsurers Could Unlock The Cyber Insurance Market", published Sept. 29, 2021).
These trends are making cyber insurance in general more expensive but will increase the focus on risk differentiation by incorporating security standards and linking improvement in customers' information security levels to pricing consideration. That means corporate entities with a more resilient cyber security strategy will receive more attractive insurance rates, which could help to incentivize policyholders to adopt better cyber hygiene. Additionally, cyber insurance providers can play an important role in improving cyber resilience of its policyholders by providing an ecosystem of cyber services—such as IT expertise, crisis management, data recovery—to prevent cyber claims, or investigate any attacks for a policyholder quickly. While such factors could help to improve cyber security over the long term, for now the cyber re/insurance market remains capacity constrained, with many insurance providers changing terms to restrict coverage for systematic risk such as those relating to compromised software infrastructure or cyberattacks deemed acts of war, having higher retention levels for corporates or coinsurance requirements for ransom payments, which could make it more challenging for companies to be fully compensated in such a scenario.
Chart 5
Reflecting Cyber Risk In Our Ratings
Cyber risk results from a combination of the hackers' goals, motivation, and capabilities (likely driven by the assets a company possesses or its importance to critical infrastructure) and the organization's cyber preparedness. As cyberattacks increase in sophistication and frequency, companies must embed cyber security into their risk-mitigation strategies to reduce their vulnerability. We consider the issuer's focus on and commitment to cyber defense and application of good cyber hygiene prerequisites to mitigate cyberattacks and in containing and remediating against losses when cyberattacks are successful. If we believe an issuer is not incorporating cyber risk mitigation strategies into their corporate governance, it could result in a lower rating than similarly positioned peers.
Cyberattacks could harm credit quality in the form of reputational risk, loss of customer and supplier relationships, as well as financial impacts resulting from operating shutdowns, liquidity constraints, investments to remediate infrastructure, investments in training, and regulatory and litigation costs. Although most issuers facing cyber incidents have so far had sufficient financial cushion with limited ratings impact, we believe cyber risk represents a growing threat and will likely pose greater downside risks on credit ratings over the coming years.
Cyber preparedness is crucial to mitigate risk
Our assessment of the company's risk management aims to be forward looking and reflect its cyber readiness to prevent or minimize the potential losses. While cyber defenses may not provide full immunity from incidents, good cyber preparedness should help detect and respond to an incident sooner and likely mitigate losses. Further, we expect that cyber incidents will often shine a light on the lack of preparedness.
Assessing Cyber Risk Preparedness
Our analysis of a company's strategy to prepare for, respond to, and recover from an attack leverages the National Institute of Standards and Technology (NIST) framework. We expect most issuers to put in place appropriate levels of cyber defenses to address each of the five core NIST framework functions:
Identify cyber risk: The issuer understands its external environment and has put in place a cybersecurity strategy that addresses key risks and allocates resources to govern and test the strategy as a part of its broader ERM framework. The issuer is knowledgeable of its physical and digital assets, dependencies on third parties, has set risk tolerances and created board accountability.
Protect assets: This entails implementing cyber hygiene practices such as firewalls, antivirus, and staff training. The issuer conducts regular systems access audits and has controls around financial payments.
Detect cyberattacks: Establish tools and processes to monitor systems and detect potential threats.
Respond and limit damage: Have a defined incident response plan that is frequently tested to contain & mitigate the impact of cyberattacks, communicate with the relevant stakeholders, and analyze the incident for lessons learned.
Recover: Restoring data from backups, reconfiguring systems, or using other means of regaining systems access, communicating to key stakeholders, and incorporating lessons learnt into their risk-management policies and practices.
In assessing cyber preparedness, we attempt to understand whether a formally documented cyber security strategy exists and whether the issuer routinely measures its effectiveness and maturity. If a financial sponsor owns the company, we try to understand whether cybersecurity is something the financial sponsor focuses on and of its level of cyber expertise. Further, we try to understand, who is ultimately responsible for the company's cyber security, how does the company allocate its budget toward cyber security, whether the company benefits from any cyber expertise on its board, and whether it has put in place appropriate levels of cyber insurance and considered exceptions arising from systemic risk in its policy.
Within our Corporate Methodology framework (see below), we factor cyber risk into our management & governance (M&G) assessment, typically under "comprehensiveness of risk management standards and tolerances", although other areas of our management and governance assessment could become relevant, such as board effectiveness, management culture, or other management and governance considerations (see M&G criteria). For example, Yahoo's data breaches in 2013 and 2014 were disclosed by the company in the second half of 2016, which at that time in our view was an example of poor management preparedness, disclosure, and response to a cyberattack. These breaches collectively impacted almost its entire 3 billion userbase and resulted in lawsuits, regulatory investigations, and a $350 million reduction in the company's acquisition price by Verizon.
Cyberattacks can affect various aspects of credit quality
Following a cyberattack, we would, if material, capture the credit impact on a company in various parts of the Corporate Ratings framework depending on the type, severity, and longer-term effects of the incident. For example:
- Competitive position: a cyber incident could harm a company's competitive position due to reputational damage, customer attrition, business disruption, or increased costs that impact profitability.
- Liquidity: a company's liquidity position could be negatively affected due to financial losses stemming from ransomware, security investments and payments to third-party consultants, litigation, customer subsidies, etc.
- Cash flow/leverage: higher operating costs or investments to address cyber deficiencies could have a negative impact on cash flow, lowering its profitability and increasing leverage.
- M&G: a cyber incident could expose material deficiencies in the comprehensiveness of enterprise-wide risk management standards and tolerances, board effectives, or other governance factors leading to a negative revision of our M&G assessment and/or ESG indicator assessments.
As we note in our methodology ("Environmental, Social, And Governance Principles In Credit Ratings," Oct. 10, 2021), we view cyber risk first as a governance risk factor and typically capture it through our assessment of risk management, culture, and oversight. Our ESG governance indicator in the G-3 to G-5 range reflects our view of how relevant and material the impact of inadequate governance is on an issuer's creditworthiness. Cyberattacks could also be reflected as a social risk factor (for example, social capital) to the extent that the incident impacts customer privacy and has material negative reputational consequences affecting stakeholder relationships or triggering important penalties from regulators. For example, the Equifax data breach resulted in the loss of consumer names, social security numbers, birth dates, and addresses amongst other data for about 147 million people and eventually resulted in a settlement payment in excess of $700 million, and increased costs and investments that led us to downgrade the company to 'BBB' from 'BBB+' in March 2019. In rare cases, cyber-related social factors could be a positive consideration in our credit rating analysis, such as for cyber security software providers like CrowdStrike Holdings Inc.
Cyber preparedness will play a greater role in credit analysis
Within the context of ratings, we focus on elements of cyber security that are relevant and material for the assessment of credit risk for our rated issuers. We leverage our interactions with issuers to identify their commitment and prioritization of cybersecurity in their overall risk management efforts.
Further, we strive to identify, compare, and contrast structural and operational steps issuers take compared with the broader rated universe. While most of the credit rating actions to date have arisen after a cyberattack, we believe the level of cyber risk preparedness is likely uneven across corporate issuers and sectors and will become increasingly important in our analysis of issuers' management and governance.
This report does not constitute a rating action.
Primary Credit Analysts: | Michael P Altberg, New York + 1 (212) 438 3950; michael.altberg@spglobal.com |
Vishal H Merani, CFA, New York + 1 (212) 438 2679; vishal.merani@spglobal.com | |
Mark Habib, Paris + 33 14 420 6736; mark.habib@spglobal.com | |
Raam Ratnam, CFA, CPA, London + 44 20 7176 7462; raam.ratnam@spglobal.com | |
Secondary Contact: | Emma Hutchinson, London; emma.hutchinson@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.