Key Takeaways
- The recently discovered vulnerability in the widely used software library Apache Log4j highlights the increasing risk that cyber events pose to credit.
- We think cyber governance will play a central role in determining the magnitude of the impact on entities from this security flaw over the coming weeks and months.
- Entities that are badly prepared, handle the event poorly, have weaker balance sheets, and lack adequate cyber insurance or other means to address the potential financial impact will be most exposed.
The recently discovered flaw in the widely used open-source Apache Log4j software reaffirms our view of heightened risks from the increasingly digital and globally interconnected ecosystem, with opaque and complex supply chains.
We expect entities with well-developed cyber risk management frameworks to be diligently executing their cyber response plans to fix the flaw. This includes patching, assessing exposure, and attempting to gauge any immediate breaches. The more sophisticated cyber risk management frameworks would have been able to detect any malicious behavior prior to the public announcement of this flaw. Now, the focus has shifted to responding and--if needed--recovering for those that did not.
We continue to see the exposure of business models and digital networks to disruption and cyber risk as key global structural credit risks. Credit-relevant cyber events are increasing at unprecedented levels. Even prior to the emergence of the Log4j flaw, we had forecast more meaningful systemwide attacks next year given the opportunities for hackers over the past 12-18 months to gain access to IT infrastructure (for further details see "Cyber: Are Credit Markets Ready For A systemwide Attack?" published Dec. 3, 2021.
Over the past few days, entities across the world have been in a race against time to reduce exposure to the flaw, understand potential exposure stemming from suppliers and third-party vendors, and--importantly--limit the amount of time that attackers have unfettered access to internal IT networks and infrastructure. Apache released two patches to known vulnerabilities within days of disclosing the vulnerability. However, even once applied, we expect entities to be on high alert for many weeks to come given the likelihood that their systems may have been compromised.
Active Detection Is The New Active Prevention In Cybersecurity
We have long said that active detection is the new active prevention in cybersecurity. Following the discovery of the Log4j flaw and appropriate identification of active threats, ongoing active detection will be more of a competitive advantage than ever before. Entities that have prioritized and invested in this important facet of cybersecurity will be in a much stronger position to mitigate risks from this event. Although it may be difficult to directly attribute future attacks to this flaw, we expect the access and internal network information gained by external actors will pose a threat well into the future. At a minimum, we expect to see increased DDoS and targeted ransomware attacks, and we recognize the increased potential for more sophisticated attacks.
Exposure to this flaw poses clear risks for rated entities, mainly because of the wide-ranging use of the Log4j framework. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) believes hundreds of millions of devices are likely affected. Log4j is a widely used by vendor applications, increasing the likelihood that some part of an issuers' network may be compromised. Once any threat actors gain access through the vulnerability, they could deploy malware, steal credentials or data, or launch DDoS attacks, among other threats. This, in turn, could result in lost revenues, contingent liabilities, and increased costs associated with containing an attack. Despite the magnitude of this event from an IT perspective, this type of event should not be unexpected, and issuers should have response plans embedded into their risk management policies.
The Central Role Of Cyber Governance Is More Central Than Ever
Although the scale of this event is undoubtedly large, the role of cyber governance remains central, and this will differentiate the magnitude of the impact that entities will experience. We will engage with rated entities as necessary to understand more about their cyber response plans and their views on potential exposure. We expect a wide range of motives for attacks (not just politically driven) to emanate from this event, which could make this more financially material than other events.
As is the case in any cyber event, we expect entities that are badly prepared, handle the event poorly, have weaker balance sheets, and lack adequate cyber insurance or other means to address the potential financial impact will be most exposed. Our wider focus on governance as part of our forward-looking credit analysis helps us detect weaker risk management policies, including those for managing cyber risk. We see a strong link between weak general governance standards and weak cyber governance.
Expect The Unexpected: High Alert Needed For More Than A Few Days
We expect the world to be on high alert to potential exposure over the coming weeks, and active detection will be key to containing and mitigating potential damage. This should include risk assessments and active dialogue with suppliers and third-party vendors. Given the potential long tail and latent exposure from this event, active detection will need to continue in order to avoid potential pitfalls. Although the flames currently appear to be under control, this may be a smokescreen. There may be a large-scale targeted future attack off the back of this flaw; expecting the unexpected in the cyber realm is key to maintaining creditworthiness.
Related Research
- Cyber: Are Credit Markets Ready For A systemwide Attack?, published Dec. 3, 2021
- Cyber Risk In A New Era: Are Third-Party Vendors Unwitting Cyber Trojan Horses For U.S. Public Finance?, Oct. 25, 2021
- Cyber Risk In A New Era: The Increasing Credit Relevance of Cybersecurity, July 14, 2021
- The Future Of Banking: Bank Cloud Adoption Goes From Blue Sky Thinking To Economic Necessity, Feb. 8, 2021
- Cyber Risk in a New Era | S&P Global Ratings (spglobal.com)
- Digitalization Of Markets | S&P Global Ratings (spglobal.com)
This report does not constitute a rating action.
| Primary Credit Analysts: | Simon Ashworth, London + 44 20 7176 7243; simon.ashworth@spglobal.com |
| Tiffany Tribbitt, New York + 1 (212) 438 8218; Tiffany.Tribbitt@spglobal.com | |
| Secondary Contacts: | Manuel Adam, Frankfurt + 49 693 399 9199; manuel.adam@spglobal.com |
| Michael P Altberg, New York + 1 (212) 438 3950; michael.altberg@spglobal.com | |
| Paul Alvarez, Washington D.C.; paul.alvarez@spglobal.com | |
| Patrick Bell, New York (1) 212-438-2082; patrick.bell@spglobal.com | |
| Geoffrey E Buswick, Boston + 1 (617) 530 8311; geoffrey.buswick@spglobal.com | |
| Zahabia S Gupta, Dubai (971) 4-372-7154; zahabia.gupta@spglobal.com | |
| Michelle Keferstein, Frankfurt (49) 69-33-999-104; michelle.keferstein@spglobal.com | |
| Nik Khakee, New York + 1 (212) 438 2473; nik.khakee@spglobal.com | |
| Matthew S Mitchell, CFA, Paris +33 (0)6 17 23 72 88; matthew.mitchell@spglobal.com | |
| Cristina Polizu, PhD, New York + 1 (212) 438 2576; cristina.polizu@spglobal.com | |
| Etai Rappel, RAMAT-GAN + 972-3-7539718; etai.rappel@spglobal.com | |
| Markus W Schmaus, Frankfurt + 49 693 399 9155; markus.schmaus@spglobal.com | |
| Lena Schwartz, RAMAT-GAN + 972-3-7539716; lena.schwartz@spglobal.com | |
| Irina Velieva, Moscow + 7 49 5783 4071; irina.velieva@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.