articles Ratings /ratings/en/research/articles/231025-corporates-up-their-cyber-preparedness-as-cyber-attacks-become-more-widespread-12886049 content esgSubNav
In This List
COMMENTS

Cyber Risk Insights: Corporates Up Their Cyber Preparedness As Cyber Attacks Become More Widespread

COMMENTS

Private Markets Monthly, December 2024: Private Credit Trends To Watch In 2025

COMMENTS

Sustainable Finance FAQ: The Rise Of Green Equity Designations

COMMENTS

Instant Insights: Key Takeaways From Our Research

COMMENTS

CreditWeek: How Will COP29 Agreements Support Developing Economies?


Cyber Risk Insights: Corporates Up Their Cyber Preparedness As Cyber Attacks Become More Widespread

To identify common themes arising from cyber incidents, including the nature and type of cyber attacks, management teams' response and communication, and the impact of cyber attacks on credit quality, we analyzed certain cyber attacks that occurred since January 2022 on 75 of our rated non-financial corporates across the world. The data we used for our survey and analysis was based on publicly available information, management disclosures, our research, and press reports.

Cyber Risk Varies Across Sectors…

Sectors that process large amounts of data or provide critical services face heightened cyber risk. Yet, no sector is completely immune to cyber attacks. Our analysis of these 75 incidents revealed that the IT and telecommunications service sectors each accounted for 12% of cyber attacks, followed by media and entertainment (11%), retail (11%), consumer products (9%), and transportation (9%) (see chart 1).

Our survey results are similar to the findings of third-party reports, for example from Guidewire, which also showed that sectors such as technology, media and entertainment, retail, and restaurants are often more exposed to cyber risk than others. According to IBM Security's 2023 X-Force Threat Intelligence Index, the third-highest industry sector affected was what they refer to as the professional, business, and consumer services sector, which includes IT and media and entertainment. The report goes on to state that 18% of incidents involved backdoors (malicious software that provides a way for attackers to bypass security and access a compromised system) and ransomware attacks.

Chart 1

image

…And Regions

We currently witness a rise in cyber attacks across the globe. In the data we analyzed, the U.S. accounted for the highest proportion of cyber attacks, followed by Australia, and the U.K.

Cyber-related disclosure requirements are increasing worldwide, which will result in more companies having to report cyber events they previously would not have disclosed publicly. The introduction and enforcement of cyber security reporting will also enable financial market participants to better assess the impact of cyber attacks with more granularity. Reporting standards have evolved to improve the timeliness of market communication. For example, from Dec. 18, 2023, the U.S. Securities and Exchange Commission (SEC) will require public companies' to report material cyber security incidents on a Form 8-K (or Form 6-K for foreign private issuers) within four business days of materiality determination. Public companies will be required to describe the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact. Disclosures for risk management, strategy, and governance will be effective for all registrants for fiscal years ending on or after Dec. 15, 2023 (for more details, see "Cyber Risk Insights: New Regulations Will Increase Resilience, At A Cost," Aug. 3, 2023).

Data Breaches And Ransomware Are The Most Common Types Of Cyber Incidents

Our analysis showed that data breaches account for more than half of cyber incidents, followed by ransomware attacks (see chart 2). This aligns broadly with data from other sources, for example Verizon's 2023 Data Breach Investigations Report, which states that system intrusion represents the second most common type of security incident, just after ransomware attacks. We note that most of this activity occurred in the U.S., which aligns with corporate disclosures and news coverage. A recent report by cybersecurity company Malwarebytes stated that, with 43%, the U.S. accounted for the highest proportion of ransomware attacks globally between July 2022 and June 2023.

Chart 2

image

Monetary losses from data breaches have increased over the past few years. According to IBM Security's Cost of a Data Breach Report 2023, the global average cost of a data breaches reached $4.45 million in 2023--an all-time high and a 15% increase, compared with 2020. The report is based on data breaches experienced by 553 organizations globally between March 2022 and March 2023.

A high number of attacks happened through third- party vendors

While a large proportion of cyber attacks is typically driven by phishing or employee error, we have noted that many attacks were conducted through third-party vendors. Many cyber breaches arose from attacks on, or security lapses at, third-party vendors or service providers. Within our sample, about 15% of cyber attacks resulted from security vulnerabilities at third-party vendors, such as payroll and recruitment service providers. This highlights the importance of surveilling third-party vendors' cyber hygiene policies and practices. When dealing with third-party vendors, organizations must have end-to-end cyber policies, including onboarding, monitoring, and detection policies.

Our Take On Cyber Incidents From A Credit Perspective

We leverage our interactions with the management of our rated companies to identify their cyber security preparedness, including their commitment and prioritization of cyber security in their overall risk management efforts. When we become aware of cyber incidents at our rated issuers, we engage with management teams to identify and analyze how they respond to the incident. Within the context of ratings, we focus on elements of cyber security that are relevant and material for the assessment of credit risk for the rated company.

We aim to understand the various structural and operational steps companies take to contain the risks from the cyber incident, solidify their defenses, and prevent future attacks. Based on our assessment of recent cyber incidents and our interactions with various management teams, we identified four common themes and key areas that are important from a credit perspective (see chart 3).

Chart 3

image
Business impact: Operational disruption is becoming more prevalent

We have observed an increase in the number of attacks against companies' core business processes and operations. This has a negative effect on business operations, either because threat actors directly target critical systems or because companies often shut down their systems to contain or limit the impact of the attack. In such cases, companies resort to manual workarounds or processes to continue servicing customers and to prevent longer-term reputational or brand damage. Well laid-out business continuity and thoroughly tested disaster recovery plans can help management teams significantly to continue servicing consumers using alternative workarounds or manual business processes.

Communication: A tricky balancing act

Keeping all stakeholders up to date in the aftermath of a cyber attack is a key aspect for senior management teams. In many cases, it takes them several weeks or even months to complete their investigations. During this time, they need to communicate timely and openly, as regulations in the U.S. and Europe demand that management ensure timely disclosure to market participants. At the same time, management needs to minimize the risk of unintentionally compromising ongoing investigations. If personal details of employees or customers are compromised, management teams have to communicate in a more detailed and timely manner to minimize longer-term impacts and limit the extent of fines or legal actions.

Management and governance: Cyber events test contingent risk management

Management teams' ability to deal with cyber events reflects their proficiency in contingent risk management. Those teams that lack dedicated resources, attention, or preparedness often find themselves ill-equipped in the face of cyber attacks, not least since cyber incidents can be exceedingly time-consuming. The complexity of dealing with cyber events eats into management's bandwidth and takes time away from operational priorities. Stricter regulations mean that an increasing number of management teams seek assistance from external cyber security experts, IT consultants, and law firms. We believe the level of cyber risk preparedness is uneven across corporate issuers and sectors and will become increasingly important in our analysis of issuers' management and governance. For companies with weak or limited focus on cyber preparedness, a cyber breach is an unwelcome wake-up call. After experiencing a cyber incident, it is not surprising that many management teams increase their cyber security budgets. We also observe that companies focus on reengineering their business processes, strengthening firewalls, and augmenting their cyber defenses. As many cyber incidents arise from employee error and oversight, quite often system defenses have to be supplemented by employee technical training to increase cyber risk awareness and implement practical steps to improve cyber hygiene. Management and employee appreciation of the importance of cyber preparedness increases during and when assessing lessons learned from simulation and scenario-based games, which replicate the potential impact of cyber disruptions, serve to train employees, and test the resilience of disaster recovery plans.

Financial impact: Increase in visibility and extent

Given the extent of business disruption arising from some recent cyber events, the visibility and extent of cyber events' financial impact is increasing. Very few companies fully quantify the impact of cyber events in detailed monetary terms. Manufacturing companies could typically recoup production losses or lost orders over a few months or quarters, but the potential financial damage from the hit to brand reputation, which results from weaker service levels, is difficult to quantify and is only likely to become apparent over the long term. Compensation from cyber insurance claims is typically not extensive enough to fully offset the financial impact of business disruption and subsequent remedial spend. Protracted investigation times, remedial actions, regulatory fines, legal appeals, and potential litigation claims can make the financial quantification of cyber attacks even more complex and time-consuming.

Corporates Increasingly Use Cyber Insurance

We see a trend that companies increasingly opt for cyber insurance to manage their exposure to cyber risks and offset costs from cyber incidents. Global cyber insurance premiums reached about $12 billion in 2022 and, in our view, will likely increase by an average of 25%-30% per year to about $23 billion by 2025 (see chart 4 and "Global Cyber Insurance: Reinsurance Remains Key To Growth," Aug. 29, 2023).

Chart 4

image

Cyber insurance providers can play a vital role in improving companies' cyber resilience. It is not uncommon that insurance companies demand minimum cyber hygiene standards as prerequisite for insurance coverage. This could help improve corporates' cyber security in the long term. Increasing complexity means companies need to be cognizant of exclusions in their cyber security coverage. Many insurance providers change terms to restrict coverage for systematic risks--such as compromised software infrastructure or cyberattacks that are deemed as acts of war--increase retention levels for corporates, or introduce coinsurance requirements for ransom payments, which could make it more challenging for companies to get full compensation. Additionally, more insurers raise their minimum cyber hygiene standards for policyholders, which further increases cyber-related costs for issuers.

Cyber Attacks Did Not Lead To Immediate Rating Actions

In our analysis of cyber events, we noted that cyber attacks didn't have a direct impact on ratings or outlooks in our rated corporate universe between January 2022 and now.

Yet, they can put downward pressure on companies' credit quality over a period of time. While not a material driver of credit rating actions to date, we note the rising nature of the threat, both in terms of frequency and monetary impact.

About 59% of the cyber attacks we recorded in our analysis focused on investment-grade companies and the remaining 41% on speculative-grade issuers (see chart 5). Additionally, we believe the potential for rating impact from cyber risks is accentuated for lower-rated speculative-grade companies since they typically have limited financial resources to absorb the fallout of a high-impact cyber attack.

Chart 5

image

All the issuers who experienced cyber incidents to date in the sample that we analyzed had sufficient financial buffers to deal with the attack. This is mainly because monetary losses, such as ransomware or litigation payments, have been relatively modest so far, compared with issuers' financial resources. Expenses that arose in the aftermath of cyber attacks--including costs to remediate the incident, provide additional customer support, and hire cyber security experts--were so far manageable and did not have an material effect on organizations' liquidity or earnings. In our analysis of these events, no cyber attack against any company we rate induced us to lower our assessment of these companies' financial risk profiles or liquidity modifiers.

Nevertheless, cyber attacks that target key operations or business processes are starting to result in revenue loss and increasing costs to resume full operability. In some cases, these are becoming quite meaningful or diminish financial headroom under the credit metrics, together with other operating pressures.

In addition to financial outflows for ransomware payments and regulatory fines, organizations are increasingly exposed to the potential longer-term impacts of cyber attacks. These include business interruption or reputational damage, which could have more severe and longer-lasting consequences on revenue, customer trust and attrition, business relationships, and companies' competitive positions. These are harder to quantify and often only materialize over a longer period. With the rising number, increasing sophistication, and frequency of cyber attacks, we believe cyber risk represents a growing threat and will likely pose greater downside risks to credit ratings in the coming years.

Related Research

Appendix

Recent cyber incidents we covered in our publications
Name Sector Country Rating Outlook Extracts from our publications

Johnson Controls International PLC

Building Materials Ireland BBB+ Stable "The timing of the attack, near JCI's fiscal year end, could affect the timing of its financial disclosures, although a delayed filing itself may not affect our view of its credit quality."

Clorox Co.

Consumer Products U.S. BBB+ Stable "Clorox reported widescale disruption to its operations and expects a material negative impact on earnings and cash flow in at least the first fiscal quarter ending Sept. 30, 2023."

Caesars Entertainment Inc.

Hotels & Gaming U.S. B+ Stable "While we don't expect Caesars' financial position to be materially affected by the breach, it is more difficult to quantify the potential reputational risk. The scope of the breach is massive and Caesars relies upon its loyalty program to sustain its substantial ability to attract loyal guests to its properties."

MGM Resorts International

Hotels & Gaming U.S. B+ Stable "We will monitor the potential credit impact of the cybersecurity breach as events evolve over the next several weeks."

ADMI Corp.

Health Care U.S. B- Negative "..we do still attribute some risk that additional cyber event-related losses or incremental costs to bolster its defenses may further impede operating performance over the near term."

Barracuda Networks Inc.

Information Technology U.S. B- Stable "...and released containment and remediation patches and recommended all impacted customers isolate and replace compromised appliances."

Zellis Holdings Ltd.

Information Technology U.K. B- Stable "We do not foresee ransomware group Clop's cyber-attack materially affecting Zellis' fiscal 2024 financials. "

MKS Instruments Inc.

Information Technology U.S. BB Stable " We note that the ransomware incident in February had a total revenue impact of $160 million, of which $120 million has been recovered with the remaining expected to be recovered in the third quarter."

Maximus Inc.

Business & Consumer Services U.S. BB+ Stable "The company believes that sensitive personal information of 14.5 to 17.5 million individuals has been compromised, and it currently estimates a total cost of about $22 million associated with the incident. Class action lawsuits have already been filed against the company in relation to this incident. "

ION Trading Technologies Ltd.

Information Technology Ireland B- Stable "The recent cyber attack had a limited financial impact, but ION Trading could be exposed to reputational damage in the longer term."

Dish Network Corp.

Media & Entertainment U.S. CCC+ Negative "The recent cyber attack furthers cash flow uncertainty."

Coca-Cola Femsa S.A.B. de C.V.

Consumer Products Mexico A- Stable "The cyberattack did not fully breach its security systems, but breached some of its safeguard layers."

This report does not constitute a rating action.

Primary Credit Analyst:Raam Ratnam, CFA, CPA, London + 44 20 7176 7462;
raam.ratnam@spglobal.com
Research Contributor:Akshay Aggarwal, CRISIL Global Analytical Center, an S&P Global Ratings affiliate, Mumbai
Lead Cyber Expert:Paul Alvarez, Washington D.C. +1 2023832104;
paul.alvarez@spglobal.com
Methodology Contact:Nik Khakee, New York + 1 (212) 438 2473;
nik.khakee@spglobal.com

No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.

Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.

To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.

S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.

S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.

 

Create a free account to unlock the article.

Gain access to exclusive research, events and more.

Already have an account?    Sign in