(Editor's Note: This article highlights our most recent cyber insights from a credit perspective with reference to supporting case studies.)
Key Takeaways
- Cybersecurity is a key risk that S&P Global Ratings embeds, as relevant, in its overall assessment of an entity's creditworthiness.
- The increasing frequency of attacks and the potential for rapid deterioration in credit profiles after an attack are risk factors that are relevant for our rating assessments now.
- Leadership, communication, and external transparency are key to limiting the damage caused by a cyber attack. From a credit perspective, we believe that these factors are the most important in limiting potential rating changes post attack.
- Although it is crucial to learn from previous attacks and strengthen cyber risk frameworks in real time, the appropriate detection and remediation of attacks takes precedence as the nature of threats will continue to evolve.
- As attacks become more prevalent, entities that handle them well will ensure a better outcome, in terms of both protecting profitability streams as well as their reputation with customers.
The COVID-19 pandemic has changed the ways we shop, learn, and work with important implications for cyber risk. E-commerce is booming, brick-and-mortar retailers are shifting to digital platforms, and schools and offices have adopted online classes and home working. For organizations, this has meant re-thinking digitalization strategies and doubling-down on information technology (IT) spending, cloud capacity, and infrastructure to boost bandwidth, ensure business continuity, and retain customers.
We believe these digitalization trends are here to stay and will inevitably lead to a higher likelihood of cyber incidents, as entities increase their digital footprint or enter the space for the first time.
The key to cyber risk resilience is a combination of risk management actions, both pre- and post attack. In this way, S&P Global Ratings expects a limited impact on ratings despite the growing number of attacks. There are a number of high profile and/or state-backed sectors for which prevention is crucial given the frequency and impact of such attacks. These may include the utilities sectors, some financial service companies, health care providers, infrastructure, local governments, and other providers of public necessities.
However, for most corporates and financial institutions, given the importance of reputation and customer confidence within our assessment of relative credit risk, appropriate detection and risk management in the wake of an attack can be the key differentiating factor to prevent a balance sheet event from escalating to one that affects an entity's brand, reputation, or wider business profile. This risk crystalized as one factor in the downgrade of Target in March 2014 (for more information, see “Target Corp. Downgraded To 'A' Following Weak Fourth Quarter; Outlook Stable”).
The swift remediation of cyber attacks is increasingly vital, as the nature of threats will continue to evolve. Entities that do not have a well-tested playbook to help define and shape their activities following an attack will be disadvantaged and could become more exposed to future attacks. Once an attack becomes apparent, management teams have the potential to be more in control of the situation than ever before.
We believe that attacks that disrupt or inhibit operations (potentially cloud-based attacks, malware, or denial of services) may have a more meaningfully negative effect on credit ratings than those that target the theft of customer data, especially in the case of less material reputational damage or data-related regulatory fines. In such cases, the bar for swift and appropriate action is even higher to avoid negative credit rating actions.
Despite a large data breach in early 2015, U.S. health insurer Anthem Inc. was able to maintain its very strong business profile and balance sheet, resulting in an upgrade in May 2015 to 'A/A-1' from 'A-/A-2'. Anthem Inc. proactively handled the communication and policyholder redress programs in a positive manner--a crucial factor in limiting the credit implications following a large-scale attack. Our wider analysis suggests that entities that handle cyber attacks well are able to manage and maintain revenue levels in the aftermath of an attack.
A Theoretical Cyber Risk Framework Is Only As Good As Its Performance In Practice
Companies' C-suite members remain best placed to help in-house cyber security teams engage employees in cyber prevention efforts. Employees are the first line of defense against the vast majority of potential cyber attacks. We expect management teams will be increasingly accountable for their actions or inactions on cyber. What's more, we are likely to see an increase in shareholder activist campaigns against companies that are not fulfilling reasonable standards of care in this space. In the government realm, similarly, we expect to see a weakening of constituent trust where companies do not uphold reasonable cyber prevention and response actions.
We have seen some isolated examples of cyber attacks exposing previously undiscovered control issues. Such issues can even be apparent within well-defined risk-management frameworks, especially if entities have not fully embraced desktop exercises or simulated cyber attacks as part of their efforts prior to a real attack.
For example, our downgrade of Bank of Valletta PLC to 'BBB-/A-3' demonstrated how operational risk management deficiencies, including regulatory observations and a cyber attack, increased our concerns regarding the robustness of the bank's operational risk management. (For more information, see “Malta-Based Bank of Valletta PLC Downgraded To 'BBB-/A-3' On Internal Control Issues; Outlook Stable,” July 31, 2019 and “Bank of Valletta Outlook Revised To Negative On Sharp Economic Contraction; Ratings Affirmed,” April 23, 2020.)
We believe that it would be less common for an entity to possess a strong and sophisticated cyber risk-management framework, yet still experience wider, systemic governance issues. Equally, an entity with strong governance protocols does not necessarily have robust levels of cybersecurity, but we would expect it to respond appropriately following an attack. Leadership is key in ensuring a systematic and timely response to minimize the impact, while maintaining communications with customers, suppliers, regulators, and other stakeholders. Appropriate communication channels to connect with relevant stakeholders, conveying clear and transparent messages, as well as attempting to alleviate stakeholder concerns upfront have proven to be key success factors to date.
Many of our rating criteria frameworks across different asset classes include a focus on overall governance standards and/or risk management attributes. This helps us to reflect material gaps in risk frameworks in existing credit ratings, especially where we identify operational risk-management deficiencies.
Our Analysis Deepens Depending On The Potential Magnitude Of The Risk
For many of the entities we rate, cyber risks already constitute an important part of the operational challenges they face. We expect to increasingly focus on this risk factor as part of our management meeting discussions in the coming months and years, as the growth of cyber risks has more potential to shape credit fundamentals.
Our current focus on cyber risks scales up or down depending on the sector and the issuer-specific dynamics and exposures. If we believe an issuer is materially exposed to such a potentially material tail risk, we would seek to reflect this in the current rating.
Although we have flagged cyber security as an important risk that will affect the global credit landscape, we see certain sectors such as public finance, restaurants/retail, mainstream technology companies, and banking as being relatively more exposed. For such companies and issuers, we focus more on understanding their exposures and risk management and mitigation plans. We expect to engage and discuss more with management teams on this topic than ever before, especially to understand preventative actions as well as any cyber risk framework enhancements that are planned following attack post-mortems.
When cyber attacks occur, they are unexpected and sometimes remain undetected for many months. However, to date, they have had limited direct impact on ratings. This is mainly because of the relatively small impact on entities' balance sheets so far, particularly compared with other risks such as recent macroeconomic pressures. In addition, high-impact attacks have largely been concentrated on state-backed entities, which often allows for a wider range of potential actions and revenue bases to help in the response efforts. These institutions have, in general, demonstrated reasonable responses following attacks.
Cyber Past Is Not A Good Guide To The Future
Cyber events and threats evolve dynamically--there is a constant battle of finding and patching system flaws, both from the perspectives of attackers and defenders. Indeed, it is a game with high stakes.
We believe there will be a tipping point within the next decade, likely accelerated by the COVID-19 pandemic, when the frequency of successful attacks increases. If this is accompanied by a simultaneous increase in the severity of an attack, there may be a more significant effect on entities' credit profiles, especially if handled poorly. The severity of cyber attacks may be relatively low currently, but in the case of governance deficiencies and poor handling, the frequency and cost of attacks can add up (in terms of fines, brief business interruption cases, data recovery costs), potentially damaging profitability and cash and liquidity levels.
Strong balance sheets help entities to manage the cost of potential fines for non-compliance with information security regulations, compensation for customers, and, at the extreme, cyber ransom payments. Cyber insurance is proving an increasingly useful tool in transferring risks off balance sheets, but insurers will need to offer more relevant products for the market to succeed (see “Cyber Risk In A New Era: Insurers Can Be Part Of The Solution,” Sept. 2, 2020). The importance of legal and regulatory compliance has never been more important (or more complex). Entities find it close to impossible to stay fully abreast of all potential threats--limited budgets and cost controls mean that cyber spend is a finite resource. It is also difficult to demonstrate the need for cyber spending when the entity has not suffered financially following an attack. Cyber risk-management teams seeking budgetary approvals from their C-suite will fare better if they can demonstrate most "bang for their buck" for cybersecurity investments. This may be a difficult sell, but the importance cannot be underestimated and often requires a creative approach to highlight return on investment.
In the case of Travelex Holdings Ltd., for example, we placed the 'B-' ratings on CreditWatch negative following a cyber attack in January 2020. After successive downgrades to 'CCC' and then to 'CC', we subsequently lowered the rating to 'D' (default) in August 2020 following a perfect storm of cyber, governance, and financial reporting issues, as well as challenges related to COVID-19. We indicated that we saw negative pressure on the ratings in January 2020, where we cited our concerns about the strength of overall governance and internal controls. (For more information, see “Travelex Holdings Ltd. 'B-' Ratings Placed On CreditWatch Negative On Cyber Attack Disruption,” published Jan. 9, 2020.)
This example also highlights the potential impact of cyber attacks on credit ratings given how much they can disrupt operations and day-to-day functioning. This is exacerbated in the case of suboptimal protocols and communication in the wake of such an attack and even more detrimental in the case of a group with an excessive debt burden.
Related Research
- Cyber Risk In A New Era: Insurers Can Be Part Of The Solution, Sept. 2, 2020
- U.S. Public Finance Issuers Must Be Nimble To Fend Off Cyberattacks Or They Could Face Credit Fallout, Feb. 25, 2020
This report does not constitute a rating action.
| Primary Credit Analyst: | Simon Ashworth, London (44) 20-7176-7243; simon.ashworth@spglobal.com |
| Secondary Contacts: | Geoffrey E Buswick, Boston (1) 617-530-8311; geoffrey.buswick@spglobal.com |
| Manuel Adam, Frankfurt (49) 69-33-999-199; manuel.adam@spglobal.com | |
| Lizzy Moir, London; lizzy.moir@spglobal.com | |
| Nik Khakee, New York (1) 212-438-2473; nik.khakee@spglobal.com | |
| Cristina Polizu, PhD, New York (1) 212-438-2576; cristina.polizu@spglobal.com | |
| Irina Velieva, Moscow (7) 495-783-40-71; irina.velieva@spglobal.com | |
| Lena Schwartz, RAMAT-GAN (972) 3-753-9716; lena.schwartz@spglobal.com | |
| Etai Rappel, RAMAT-GAN (972) 3-753-9718; etai.rappel@spglobal.com | |
| Matthew S Mitchell, CFA, London (44) 20-7176-8581; matthew.mitchell@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw or suspend such acknowledgment at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain non-public information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.standardandpoors.com (free of charge), and www.ratingsdirect.com and www.globalcreditportal.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees.
Any Passwords/user IDs issued by S&P to users are single user-dedicated and may ONLY be used by the individual to whom they have been assigned. No sharing of passwords/user IDs and no simultaneous access via the same password/user ID is permitted. To reprint, translate, or use the data or information other than as provided herein, contact S&P Global Ratings, Client Services, 55 Water Street, New York, NY 10041; (1) 212-438-7280 or by e-mail to: research_request@spglobal.com.