Risk management has historically been comprised of independent disciplines, with professionals focused on credit, market or operational risk. Over time, firms have been moving to a true enterprise view, with disciplines converging. This was underscored by the Financial Accounting Standards Board’s latest Current Expected Credit Loss (CECL) standard that links credit, accounting and reputational risk assessments to help financial institutions estimate expected lifetime credit losses.

As this convergence has been taking place, new areas of risk have continued to emerge requiring credit and risk management professionals to widen their scope to effectively assess potential vulnerabilities within companies, supply chains and loan and investment portfolios. We now hear a great deal about climate and regulatory risk, for example. In addition, there is an ever-increasing focus on cyber risk, which escalated during the COVID-19 pandemic with the move to remote work environments and the migration of company data to the cloud.

Cyber Risk is a Growing Concern

Statistics on cyber risk are astounding. The FBI’s Internet Crime Complaint Center pointed to a 300% increase in reported cybercrimes during the pandemic,^[1] while the U.N. disarmament chief pointed to a 600% increase in malicious emails.^[2] In addition, in 2021 the World Economic Forum ran a survey among members of a cybersecurity leadership community (representing about 100 senior cybersecurity executives from around the globe) and found that 80% saw ransomware as a dangerous threat that is impacting public safety.^[3] Moreover, 97% of this community pointed to business continuity as the main risk when it comes to ransomware attacks. Looking to recent events, the  Russia-Ukraine conflict has raised alarm bells for the U.S. to prepare for Russian cyberattacks. "There is a growing concern that massive cyber warfare could be on the near-term horizon, which would certainly catalyze an increase in spending around preventing sophisticated Russian-based cyber attacks going after datacenters, networks, vulnerability points, and other highly sensitive data," wrote Wedbush analyst Dan Ives, who focuses on tech stocks, wrote in a Feb. 24 research note.^[4]

Cybercrimes Impact Creditworthiness

As digital transformation takes hold across industries, cybersecurity is no longer the sole responsibility of IT departments and must be considered in assessments of credit risk. After all, computer-based systems are used to manage inventories and supply chains, communicate with customers and employees, generate online sales and much more. Technology breaches can result in a significant loss of revenue, large legal costs and damage to a company’s reputation ‒ all on top of the time and expense associated with repairing networks and devices that have been affected. Such breaches can become a red flag for investors wanting to minimize vulnerabilities in their portfolios.

To help quantify the impact of cyber risk on a business’s creditworthiness, in 2021 S&P Global Ratings announced that it was further integrating the cyber risk expertise and insights of Guidewire Cyence Risk Analytics^[5] into its product platforms to complement the company’s own assessments.

Governance Plays a Critical Role

Boards of Directors are responsible for good corporate governance and the long-term viability of their organizations, and must take an active role in guarding against potential disruptions from cybercrimes. According to the World Economic Forum,^[6] leaders need tools and guidelines in order to fulfill their obligations where cybersecurity issues threaten an organization’s reputation and trust among players in an ecosystem. The Forum is therefore updating guidance for the corporate governance of cyber risk in response. 

In addition, in recognition of the importance of governance in addressing cyber risks, the Cybersecurity and Infrastructure Security Agency's (CISA) Cybersecurity Division and the National Association of State Chief Information Officers (NASCIO) partnered to develop a state cybersecurity governance report, along with a series of case studies that explore how states govern cybersecurity. Together these pieces identify how states have used laws, policies, structures and processes to help better govern cyber risk as an enterprise-wide strategic issue, providing helpful insights for other states and organizations that face similar challenges.  

All Firms Must Protect Their Businesses

Attacks are not only happening with large publicly listed companies, as sovereign states, government agencies and public institutions are acutely vulnerable, too.^[7] There have been attacks on the U.S. city of Hartford and numerous Texas school districts, across municipal utility sectors and on the Irish healthcare system, to name a few.

Small private companies are not immune to attacks. A 2019 survey^[8] found that an overwhelming majority of these businesses believed they were a target of cybercriminals, highlighting the growing awareness among this group about the impending threats. These attacks can cause small- and medium-sized enterprise to close their doors, evidenced by the fact that organizations with fewer than 500 employees spent an average of nearly $3 million per data breach incident in 2021, up 26.8% from the previous year.^[9]

To help mitigate the potential negative credit impact of cyberattacks, robust cybersecurity remains vital. There is no substitute for a strong cybersecurity system– from internal governance to IT software. Other key factors that determine how well entities manage cyber risk include: prompt remedial action, active detection, C-Suite support (including budget allocation) and a better understanding of risks arising from third-party providers or supply chains.