To identify common themes arising from cyber incidents, including the nature and type of cyber attacks, management teams' response and communication, and the impact of cyber attacks on credit quality, we analyzed certain cyber attacks that occurred since January 2022 on 75 of our rated non-financial corporates across the world. The data we used for our survey and analysis was based on publicly available information, management disclosures, our research, and press reports.

Cyber Risk Varies Across Sectors…

Sectors that process large amounts of data or provide critical services face heightened cyber risk. Yet, no sector is completely immune to cyber attacks. Our analysis of these 75 incidents revealed that the IT and telecommunications service sectors each accounted for 12% of cyber attacks, followed by media and entertainment (11%), retail (11%), consumer products (9%), and transportation (9%) (see chart 1).

Our survey results are similar to the findings of third-party reports, for example from Guidewire, which also showed that sectors such as technology, media and entertainment, retail, and restaurants are often more exposed to cyber risk than others. According to IBM Security's 2023 X-Force Threat Intelligence Index, the third-highest industry sector affected was what they refer to as the professional, business, and consumer services sector, which includes IT and media and entertainment. The report goes on to state that 18% of incidents involved backdoors (malicious software that provides a way for attackers to bypass security and access a compromised system) and ransomware attacks.

Chart 1

…And Regions

We currently witness a rise in cyber attacks across the globe. In the data we analyzed, the U.S. accounted for the highest proportion of cyber attacks, followed by Australia, and the U.K.

Cyber-related disclosure requirements are increasing worldwide, which will result in more companies having to report cyber events they previously would not have disclosed publicly. The introduction and enforcement of cyber security reporting will also enable financial market participants to better assess the impact of cyber attacks with more granularity. Reporting standards have evolved to improve the timeliness of market communication. For example, from Dec. 18, 2023, the U.S. Securities and Exchange Commission (SEC) will require public companies' to report material cyber security incidents on a Form 8-K (or Form 6-K for foreign private issuers) within four business days of materiality determination. Public companies will be required to describe the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact. Disclosures for risk management, strategy, and governance will be effective for all registrants for fiscal years ending on or after Dec. 15, 2023 (for more details, see "Cyber Risk Insights: New Regulations Will Increase Resilience, At A Cost," Aug. 3, 2023).

Data Breaches And Ransomware Are The Most Common Types Of Cyber Incidents

Our analysis showed that data breaches account for more than half of cyber incidents, followed by ransomware attacks (see chart 2). This aligns broadly with data from other sources, for example Verizon's 2023 Data Breach Investigations Report, which states that system intrusion represents the second most common type of security incident, just after ransomware attacks. We note that most of this activity occurred in the U.S., which aligns with corporate disclosures and news coverage. A recent report by cybersecurity company Malwarebytes stated that, with 43%, the U.S. accounted for the highest proportion of ransomware attacks globally between July 2022 and June 2023.

Chart 2

Monetary losses from data breaches have increased over the past few years. According to IBM Security's Cost of a Data Breach Report 2023, the global average cost of a data breaches reached $4.45 million in 2023--an all-time high and a 15% increase, compared with 2020. The report is based on data breaches experienced by 553 organizations globally between March 2022 and March 2023.

A high number of attacks happened through third- party vendors

While a large proportion of cyber attacks is typically driven by phishing or employee error, we have noted that many attacks were conducted through third-party vendors. Many cyber breaches arose from attacks on, or security lapses at, third-party vendors or service providers. Within our sample, about 15% of cyber attacks resulted from security vulnerabilities at third-party vendors, such as payroll and recruitment service providers. This highlights the importance of surveilling third-party vendors' cyber hygiene policies and practices. When dealing with third-party vendors, organizations must have end-to-end cyber policies, including onboarding, monitoring, and detection policies.

Our Take On Cyber Incidents From A Credit Perspective

We leverage our interactions with the management of our rated companies to identify their cyber security preparedness, including their commitment and prioritization of cyber security in their overall risk management efforts. When we become aware of cyber incidents at our rated issuers, we engage with management teams to identify and analyze how they respond to the incident. Within the context of ratings, we focus on elements of cyber security that are relevant and material for the assessment of credit risk for the rated company.

We aim to understand the various structural and operational steps companies take to contain the risks from the cyber incident, solidify their defenses, and prevent future attacks. Based on our assessment of recent cyber incidents and our interactions with various management teams, we identified four common themes and key areas that are important from a credit perspective (see chart 3).

Chart 3

Business impact: Operational disruption is becoming more prevalent

We have observed an increase in the number of attacks against companies' core business processes and operations. This has a negative effect on business operations, either because threat actors directly target critical systems or because companies often shut down their systems to contain or limit the impact of the attack. In such cases, companies resort to manual workarounds or processes to continue servicing customers and to prevent longer-term reputational or brand damage. Well laid-out business continuity and thoroughly tested disaster recovery plans can help management teams significantly to continue servicing consumers using alternative workarounds or manual business processes.

Communication: A tricky balancing act

Keeping all stakeholders up to date in the aftermath of a cyber attack is a key aspect for senior management teams. In many cases, it takes them several weeks or even months to complete their investigations. During this time, they need to communicate timely and openly, as regulations in the U.S. and Europe demand that management ensure timely disclosure to market participants. At the same time, management needs to minimize the risk of unintentionally compromising ongoing investigations. If personal details of employees or customers are compromised, management teams have to communicate in a more detailed and timely manner to minimize longer-term impacts and limit the extent of fines or legal actions.

Management and governance: Cyber events test contingent risk management

Management teams' ability to deal with cyber events reflects their proficiency in contingent risk management. Those teams that lack dedicated resources, attention, or preparedness often find themselves ill-equipped in the face of cyber attacks, not least since cyber incidents can be exceedingly time-consuming. The complexity of dealing with cyber events eats into management's bandwidth and takes time away from operational priorities. Stricter regulations mean that an increasing number of management teams seek assistance from external cyber security experts, IT consultants, and law firms. We believe the level of cyber risk preparedness is uneven across corporate issuers and sectors and will become increasingly important in our analysis of issuers' management and governance. For companies with weak or limited focus on cyber preparedness, a cyber breach is an unwelcome wake-up call. After experiencing a cyber incident, it is not surprising that many management teams increase their cyber security budgets. We also observe that companies focus on reengineering their business processes, strengthening firewalls, and augmenting their cyber defenses. As many cyber incidents arise from employee error and oversight, quite often system defenses have to be supplemented by employee technical training to increase cyber risk awareness and implement practical steps to improve cyber hygiene. Management and employee appreciation of the importance of cyber preparedness increases during and when assessing lessons learned from simulation and scenario-based games, which replicate the potential impact of cyber disruptions, serve to train employees, and test the resilience of disaster recovery plans.

Financial impact: Increase in visibility and extent

Given the extent of business disruption arising from some recent cyber events, the visibility and extent of cyber events' financial impact is increasing. Very few companies fully quantify the impact of cyber events in detailed monetary terms. Manufacturing companies could typically recoup production losses or lost orders over a few months or quarters, but the potential financial damage from the hit to brand reputation, which results from weaker service levels, is difficult to quantify and is only likely to become apparent over the long term. Compensation from cyber insurance claims is typically not extensive enough to fully offset the financial impact of business disruption and subsequent remedial spend. Protracted investigation times, remedial actions, regulatory fines, legal appeals, and potential litigation claims can make the financial quantification of cyber attacks even more complex and time-consuming.

Corporates Increasingly Use Cyber Insurance

We see a trend that companies increasingly opt for cyber insurance to manage their exposure to cyber risks and offset costs from cyber incidents. Global cyber insurance premiums reached about $12 billion in 2022 and, in our view, will likely increase by an average of 25%-30% per year to about $23 billion by 2025 (see chart 4 and "Global Cyber Insurance: Reinsurance Remains Key To Growth," Aug. 29, 2023).

Chart 4

Cyber insurance providers can play a vital role in improving companies' cyber resilience. It is not uncommon that insurance companies demand minimum cyber hygiene standards as prerequisite for insurance coverage. This could help improve corporates' cyber security in the long term. Increasing complexity means companies need to be cognizant of exclusions in their cyber security coverage. Many insurance providers change terms to restrict coverage for systematic risks--such as compromised software infrastructure or cyberattacks that are deemed as acts of war--increase retention levels for corporates, or introduce coinsurance requirements for ransom payments, which could make it more challenging for companies to get full compensation. Additionally, more insurers raise their minimum cyber hygiene standards for policyholders, which further increases cyber-related costs for issuers.

Cyber Attacks Did Not Lead To Immediate Rating Actions

In our analysis of cyber events, we noted that cyber attacks didn't have a direct impact on ratings or outlooks in our rated corporate universe between January 2022 and now.

Yet, they can put downward pressure on companies' credit quality over a period of time. While not a material driver of credit rating actions to date, we note the rising nature of the threat, both in terms of frequency and monetary impact.

About 59% of the cyber attacks we recorded in our analysis focused on investment-grade companies and the remaining 41% on speculative-grade issuers (see chart 5). Additionally, we believe the potential for rating impact from cyber risks is accentuated for lower-rated speculative-grade companies since they typically have limited financial resources to absorb the fallout of a high-impact cyber attack.

Chart 5

All the issuers who experienced cyber incidents to date in the sample that we analyzed had sufficient financial buffers to deal with the attack. This is mainly because monetary losses, such as ransomware or litigation payments, have been relatively modest so far, compared with issuers' financial resources. Expenses that arose in the aftermath of cyber attacks--including costs to remediate the incident, provide additional customer support, and hire cyber security experts--were so far manageable and did not have an material effect on organizations' liquidity or earnings. In our analysis of these events, no cyber attack against any company we rate induced us to lower our assessment of these companies' financial risk profiles or liquidity modifiers.

Nevertheless, cyber attacks that target key operations or business processes are starting to result in revenue loss and increasing costs to resume full operability. In some cases, these are becoming quite meaningful or diminish financial headroom under the credit metrics, together with other operating pressures.

In addition to financial outflows for ransomware payments and regulatory fines, organizations are increasingly exposed to the potential longer-term impacts of cyber attacks. These include business interruption or reputational damage, which could have more severe and longer-lasting consequences on revenue, customer trust and attrition, business relationships, and companies' competitive positions. These are harder to quantify and often only materialize over a longer period. With the rising number, increasing sophistication, and frequency of cyber attacks, we believe cyber risk represents a growing threat and will likely pose greater downside risks to credit ratings in the coming years.

Related Research

• Stay Vigilant: Highlights From The Cyber Risk Seminar 2023, Oct. 20, 2023
• Global Cyber Insurance: Reinsurance Remains Key To Growth, Aug. 29, 2023
• Cyber Risk Insights: New Regulations Will Increase Resilience, At A Cost, Aug. 3, 2023
• Perspectives On Cyber Risk Across Corporates: The Potential Impact Of Cyber Threats Is Growing, Nov. 7, 2022
• How Cyber Risk Affects Credit Analysis For Global Corporate Issuers, March 30, 2022

Appendix