Chart 1
Key Takeaways
- Asia-Pacific's cyber risks are growing even as they are under-reported and under-appreciated.
- Third-party data providers, such as Guidewire, indicate that cyber risks in Asia-Pacific are just as high, if not higher, than in the U.S. or Europe.
- Direct or indirect attacks along the supply chain may affect issuer ratings; our assessment looks at all these possible risks.
Stakeholders seem to be taking an out-of-sight, out-of-mind attitude toward cyberattacks in Asia. A lack of public disclosure requirements is likely to result in an under-reporting of cyber incidents in the region. S&P Global Ratings views vulnerability to cyberattacks as a credit risk.
We believe further that limited disclosure can create a degree of complacency among investors and corporate managers. Cyber risks for Asia-Pacific issuers are as high as those for rated issuers in the U.S. or Europe, according to data provided by Guidewire, a third-party research entity (see chart 1).
The threat of attacks is rising globally, with occasionally damaging consequences for firms' operations. Recent examples in the U.S. from September include MGM Resorts International and Clorox Co., which each disclosed unrelated and serious cyberattacks (see box, and "What We've Learned About Cybersecurity Risk Following Recent Attacks In The U.S. Gaming Sector," Nov. 9, 2023).
Asia-Pacific has its own risk characteristics. A high concentration of rated entities are in manufacturing, which exposes them to attacks on suppliers and key infrastructure. Moreover, more industrial production is moving online, to make use of technologies such as artificial intelligence (AI). For example, at a recent policy-setting event in China known as the Two Sessions, officials vowed to integrate much more AI into manufacturing.
Guidewire data reveals that, on average, the industrial control systems of more Asia-Pacific issuers were detectable online, compared with global issuers. Industrial control systems are software used to manage key manufacturing functions. If such systems are detectable online, they are vulnerable to an attack by hackers.
As a sign of the dangers, Rockwell Automation Inc. recently warned its customers to disconnect industrial control systems from the internet if they were not specifically designed to be publicly facing. Rockwell is a provider of industrial automation services.
Chart 2
The High Cost Of Cyberattacks: The Cases Of Clorox And MGM
Most cyberattacks never get through security systems. Those that do typically cause minimal disruption. However, occasionally, a hack may cause significant damage.
In the case of Clorox, an incursion in August of 2023 crippled automated order processing across its portfolio long enough to cause mass shortages. The disruption was significant enough that we revised the ratings outlook on Clorox to negative (see "Clorox Co. Outlook Revised To Negative From Stable On Materially Lower Guidance; Ratings Affirmed," Nov. 16, 2023).
Similarly, a cyberattack on MGM Resorts in 2023 left its customers unable to book restaurants or hotel rooms online, caused long delays during check-in and check-out, and affected some of its gaming operations. Though this did not change our ratings, MGM disclosed that the attack would result in a US$100 million hit to its third-quarter results in 2023.
Clorox and MGM were lucky that the attacks did not have long-lasting consequences, such as damage to its brand or a permanent loss of customers.
The companies also had plenty of financial headroom to withstand the attacks. But entities with thinner liquidity or financial buffers, or which operate in significantly more competitive industries, may not be so lucky.
Chart 3
Cyberattacks Are Underreported In Asia-Pacific
Tracking and measuring cyberattacks is difficult in the best of circumstances. It's particularly difficult in Asia, with its patchwork of rules and regulators, and generally low disclosure requirements on companies.
A lack of disclosure can make it more difficult to assess cyber risks. Moreover, attacks may be direct or indirect, targeting service providers, suppliers, logistic networks, or critical infrastructure (ports, utilities, telecommunication, financial networks, and the like; see chart 3).
In the wake of a growing number of cyberattacks globally, Asia-Pacific regulators and legislators are starting to address this risk. Countries such as China, South Korea, Japan, India, Singapore, and Australia have all rolled out rules requiring companies to provide more disclosure of attacks, and more details on their level of preparedness.
Regulators are scrutinizing firms that provide critical infrastructure. Recently, Singapore, in the first amendment of its Cybersecurity Act, proposed expanding the reporting requirements for critical infrastructure owners to include incidents affecting entities in their supply chain.
However, most of these new rules do not require public disclosures of cyber incidents. They typically require timely reports of attacks to regulators, or perhaps just set higher standards for cybersecurity (see table 1).
Table 1
Firms in Asia-Pacific typically need to disclose cyber breaches, just usually not to the public | ||||||||
---|---|---|---|---|---|---|---|---|
Disclosure standards by country, territory, or region | ||||||||
Category of breach | Disclosure requirement to regulators | Disclosure requirement to the public | Penalty for noncompliance | |||||
Australia | ||||||||
Critical infrastructure | In Australia, entities responsible for critical infrastructure are required to report a cybersecurity incident to the Australian Signals Directorate. | Listed companies are required to inform the Australian Securities Exchange if an incident is expected to have a material effect on the price or value of listed securities. |
Failure to have to have an incident response plan for cybersecurity incidents may result in a maximum civil penalty of A$22,000-A$55,000. |
|||||
Data breaches | Same as above. | A serious or repeated breach of privacy may draw a fine of A$220,000-A$550,000. | ||||||
Mainland China | ||||||||
Data breaches | Breaches involving more than 1 million customers and RMB5 million of costs require disclosure. If incidents are more serious, involving more customers and greater cost, firms must report the event to the National Network and Information Department within one hour. | |||||||
Hong Kong | ||||||||
Cyber incidents | Material cyber incidents must be reported to the Hong Kong Securities and Futures Commission, or the Hong Kong Monetary Authority (HKMA). | |||||||
India | ||||||||
Security breaches | Notify the Indian Computer Emergency Response Team within six hours. | Private and public companies must notify stock exchanges. Public companies must disclose the event in annual reports. | Penalties could include imprisonment or a fine. | |||||
Japan | ||||||||
Critical infrastructure | Enitities providing critical infrastructure must report any event to the National Center of Incident Readiness and Strategy for Cybersecurity. Regulatory approval is also required for new facilities to ensure cyber safety. | The Japan Exchange Group requires timely disclosure if a cybersecurity incident occurs at a listed company and it has a significant effect on investment decisions. This is regardless of the criticality of the infrastructure. | ||||||
Data breaches | Mandatory reporting of personal data breaches within 3-5 days, according to the Act on the Protection of Personal Information. | Up to ¥100 million for a failure to comply with orders to rectify major data management issues. | ||||||
Singapore | ||||||||
Critical infrastructure | Report to the Commissioner of Cybersecurity within two hours of an incident. | Failure to notify could result in imprisonment of up to two years, or a fine of not more than S$100,000 for the responsible party. | ||||||
Personal data breaches | Must notify data breaches to the Personal Data Protection Commission as soon as practicable and no later than three days. | Only if material. | ||||||
South Korea | ||||||||
Critical infrastructure | No immediate reporting requirements. Entities providing critical infrastructure are required to make annual disclosures on the state of information security to regulators. | |||||||
Southeast Asia | ||||||||
Critical infrastructure | Most countries require entities providing critical infrastructure to report cyber incidents. | Failure to report cyber incidents can result in a fine in many countries. | ||||||
Data breaches | Most countries require notification to the relevant authorities if the breach involves personal data. | |||||||
RMB--Chinese renminbi. S$--Singapore dollar. Sources: Circulars issued by the Securities and Futures Ordinance and the Hong Kong Monetary Authority, draft measures issued by the Cyberspace Administration of China, National Center of Incident Readiness and Strategy for Cybersecurity, Japan Exchange Group, circulars issued by the Securities and Futures Ordinance and the Hong Kong Monetary Authority, draft measures issued by the Cyberspace Administration of China, reports from Cyber and Infrastructure Security Centre, Australia, Singapore's Cybersecurity Act, 2018, and reports from the Cyber Security Agency of Singapore. |
While some Asian jurisdictions require public notification of data breaches, most do not. Some regulators seek transparency on cyberattacks using stock-exchange rules requiring disclosure of material events.
Yet, materiality is an imprecise and ambiguous measure, particularly for cyber incidents. For example, do leaks of customer data meet the materiality threshold if the immediate cost of the breach is small or difficult to measure?
Moreover, most exchanges and regulators in the region don't have strict requirements that firms report their incidents. Companies may delay or even omit such disclosures. Finally, such rules would only apply to listed entities.
By contrast, the U.S. is toughening its reporting rules on cyber incidents (see "Cyber Risk Insights: New Regulations Will Increase Resilience, At A Cost," Aug. 3, 2023.) The Securities and Exchange Commission has set standards for public disclosure of cyberattacks on registered companies. These include reporting incursions within four days after the determination of their materiality.
Europe has also taken a tough approach in requiring companies to carefully safeguard user data, and to protect consumers using products with digital elements.
Disclosure requirements in Asia-Pacific are often more relaxed than in the U.S. and Europe. Tellingly, the cyberattacks that our rated Japanese firms disclosed in the past year largely occurred at overseas subsidiaries, or affected overseas users. This was likely because offshore regulations required disclosure, whereas Japan did not. We assume as such that there were other attacks on Japanese issuers last year that were not disclosed (see table 2).
The upshot is that Asia-Pacific incidents are underreported. We believe this breeds under-preparedness among issuers, and an inability for investors to assess the full risk of such breaches.
Table 2
Most disclosed incidents for Japanese rated issuers are from their overseas subsidiaries | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
A roundup of some of the most serious recent incursions in Asia-Pacific, that we know of | ||||||||||
Incident description and impact | Region affected | Rating* | Sector | |||||||
Toyota Motor Corp. |
In May 2023, Toyota disclosed that the vehicle data of 2.15 million users in Japan, or almost all customers that signed up for its main cloud service platforms since 2012, had been publicly available for a decade due to human error. | Japan | A+/Stable/A-1+ | Automobiles & components | ||||||
Sony Group Corp. |
In October 2023, Sony confirmed it found indications of a breach of one of its servers in Japan, in response to claims that hackers had attacked the company's systems. | Japan/global | A/Stable/A-1 | Consumer products | ||||||
Toyota Motor Corp. |
In December 2023, Toyota Financial Services (TFS), a subsidiary of Toyota Motor Corp., disclosed that it suffered a data breach, stating that sensitive personal and financial data was exposed in the attack. The company had detected unauthorized access on some of its systems in Europe and Africa. TFS sent notices to German customers informing them of the breach. | EMEA | A+/Stable/A-1+ | Automobiles & components | ||||||
Nissan Motor Co. Ltd. |
The carmaker revealed in early December 2023 that hackers had targeted systems belonging to Nissan Motor Corp. and Nissan Financial Services in Australia and New Zealand. | Australia and New Zealand | BB+/Stable/B | Automobiles & components | ||||||
Sony Group Corp. |
In December 2023, the Sony-owned U.S. game developer Insomniac Games responded to a cyberattack by ransomware group Rhysida. Roughly 1.67 terabytes of company data, including assets, employee information, and other information was released online. | U.S. | A/Stable/A-1 | Consumer products | ||||||
AGC Inc. |
AGC Inc. confirmed that its subsidiary (AGC Automotive Americas, headquartered in the U.S. state of Michigan) was hacked on Dec. 15, 2023. Some of the subsidiary's systems were disrupted, hitting its production and shipments. | U.S. | A-/Stable/A-2 | Building materials | ||||||
Nissan Motor Co. Ltd. |
In May 2024, Nissan revealed that it suffered a data breach involving potentially sensitive data of more than 53,000 current and former employees at Nissan's U.S. subsidiary, Nissan North America Inc. | U.S. | BB+/Stable/B | Automobiles & components | ||||||
*As of May 30, 2024. EMEA--Europe, the Middle East, and Africa. Source: S&P Global Ratings. |
Toyota Vulnerabilities Extend Through Its Network
Defending against cyberattacks on a company's own network is difficult enough. Yet, companies must now look at cyber vulnerabilities beyond their own systems.
A rising number of cyberattacks are hitting operations either directly--many through third-party service providers employed by the target companies--or indirectly across their suppliers and providers of logistics and infrastructure.
Toyota Motor Corp. (A+/Stable/A-1+) is a perfect example of how disruptions from cyberattacks can manifest in unexpected ways.
On March 1, 2022, a malware attack forced Kojima Industries Corp. (unrated), Toyota's key domestic supplier of car parts, to suspended operations on all its 28 lines at 14 domestic plants in Japan. Toyota's response helped Kojima quickly resolve the issue.
As a result, Toyota's production was suspended only for a day, affecting about 13,000 vehicles (compared with global sales of more than 9.6 million for the full year ended March 31, 2022).
Separately, on July 4, 2023, Nagoya Port faced a ransomware attack that disrupted handling of containers. The Nagoya Port is the largest in Japan in terms of cargo. It handles 10% of Japan's total trade volume, and car exports of major companies goes through the port.
It took about three days for the port to get operational services back on track. The port serves as a key logistic channel for Toyota's exports. Luckily for Toyota, its large scale, strong inventory management, and diversified logistical network minimized the fallout.
In both cases, Toyota's cash flows and our rating on the firm were largely unaffected by the cyberattacks.
As with the case of Clorox and MGM, Toyota large resources and robust governance ensured it fixed the crisis quickly. Had the above attacks involved a company at the lower end of the credit rating spectrum, they would have been much more damaging.
How Do We Account For Cyber Risks Within Our Credit Rating?
Our credit rating reflects an issuer's cyber preparedness, governance, and concentration risks. This gives us a sense of how disruptive a cyberattack might be.
By including cyber risk in our discussions with management, we rely on entities to share information. For this reason, we examine not just what the issuers tell us, but also our assessment of their defenses and planning.
Slow or ineffective remedial actions in response to contingent risks, such as severe cyberattacks, would prompt us to question the robustness of a company's management and governance.
We consider whether the issuer has formally documented its cybersecurity strategy, and whether it routinely measures the effectiveness of the strategy. We also try to understand who is ultimately responsible for the company's cybersecurity, how the company allocates its budget toward cybersecurity, and the level of cyber expertise on its board. We assess whether companies maintain adequate means to respond and recover from a cyber event without materially compromising financials, through cyber insurance or other means.
In addition, we updated our management and governance criteria to more directly assess cyber-preparedness. In particular, whether an incident exposes deficiencies in risk-management standards and tolerances, board effectiveness, or other governance factors (see "Methodology: Management And Governance Credit Factors For Corporate Entities," Jan. 8, 2024).
Cyber risks may amplify vulnerabilities presented by supplier, distributor, or geographical concentrations. We would reflect that in an issuer's business risk assessment and, ultimately, our rating.
The Stealthy, Surprise Credit Events Can Sting The Most
With all that said, we acknowledge the difficulty of assessing the risk of cyberattacks in Asia-Pacific. We don't believe this is because such incursions are rare, but that they are underreported. It is notable that the record of attacks picks up in markets such as Australia, where the regulations are tighter and disclosure standards higher.
We assume rated corporates in Asia-Pacific are at least as vulnerable as entities in the U.S. and Europe. Cyber incursions pose a meaningful ongoing credit risk in those markets, and so they should for entities in Asia-Pacific. Risks are also increasing for Asia-Pacific financial institutions as they increasingly rely on cloud and third-party service providers (see "Asia-Pacific Banks' Digital Opening Raises Cyber Risks," Sept. 27, 2022).
Investors should be mindful that cyberattacks may strike quickly and randomly, with possibly devastating effects.
Writer: Jasper Moiseiwitsch
Digital Designer: Evy Cheung
Related Research
- Methodology: Management And Governance Credit Factors For Corporate Entities, Jan. 8, 2024
- Clorox Co. Outlook Revised To Negative From Stable On Materially Lower Guidance; Ratings Affirmed," Nov. 16, 2023.
- Cyber Attack On ICBC Financial Services Highlights Risk Management Challenges Overseas, Nov. 14, 2023
- What We've Learned About Cybersecurity Risk Following Recent Attacks In The U.S. Gaming Sector, Nov. 9, 2023
- Australian Mutual Lenders: Path Of Least Resistance May Lead To Higher Cyber Risk, Aug. 29, 2023
- Cyber Risk Insights: New Regulations Will Increase Resilience, At A Cost, Aug. 3, 2023
- How Cyber Risk Affects Credit Analysis For Global Corporate Issuers, March 30, 2022
- Perspectives On Cyber Risk Across Corporates: The Potential Impact Of Cyber Threats Is Growing, Nov. 7, 2022
- Asia-Pacific Banks' Digital Opening Raises Cyber Risks, Sept. 27, 2022
- How Cyber Risk Affects Credit Analysis For Global Corporate Issuers, March 30, 2022
This report does not constitute a rating action.
Primary Credit Analysts: | Clifford Waits Kurz, CFA, Hong Kong + 852 2533 3534; clifford.kurz@spglobal.com |
Shruti Zatakia, Singapore + 65 6216 1094; shruti.zatakia@spglobal.com | |
Ricky Tsang, Hong Kong (852) 2533-3575; ricky.tsang@spglobal.com | |
Shinichi Endo, CFA, Tokyo (81) 3-4550-8773; shinichi.endo@spglobal.com | |
Research Assistants: | Akshay S Aggarwal, Mumbai |
Harshil Doshi, Mumbai |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.