Key Takeaways
- Cyber risk is integral to wider risk management and a factor in credit risk assessment.
- There is a growing, though still small, list of issuers that have had a rating affected by cyber incidents.
- The cyber insurance market is still maturing to a position that can be considered beneficial for all stakeholders.
Effective management of cyber risk is integral to organizations' wider risk management and a factor in S&P Global Ratings' credit risk assessments that has already contributed to credit rating revisions.
Cyber risks role within credit risk was the major theme at S&P Global Ratings' Third Annual Cyber Risk Seminar, providing a common thread linking panels that reviewed the evolving cyber threat landscape, the prospects for a sustainable cyber insurance market, and the lessons from rating actions in which cyber attacks played a key role. A link to the replay of the online seminar is available here.
"This [cyber risk] isn't an emerging risk anymore. It isn't a siloed threat, it is an evolving risk, and it has to be an integrated part of risk management that is updated as threats evolve and as we learn," Tiffany Tribbitt, Senior Director and Lead for Global Cyber Security Research at S&P Global Ratings told the seminar.
Cyber risks role within credit risk is underscored by a growing, though thankfully still small, list of issuers that have had a rating affected by cyber incidents.
Among those cited at the seminar were:
- Malta-based Bank of Valletta PLC (BBB-/Negative/A-3), which suffered a cyber breach in Feb. 2019 and was downgraded in July of the same year to 'BBB-' from 'BBB' (see "Malta-Based Bank of Valletta PLC Downgraded To 'BBB-/A-3' On Internal Control Issues; Outlook Stable," July 31, 2019).
- Software provider SolarWinds Holdings Inc. (B/Stable/--), which was downgraded to 'B' from 'B+' in April 2021 due in part to the ongoing effects of a cyber attack in 2020 (see "SolarWinds Holdings Inc. Downgraded To 'B' On N-Able Divestment And Sunburst Breach-Related Costs, Outlook Stable," April 28, 2021).
- Princeton Community Hospital, Inc. of West Virginia (BBB/Developing/--), which was downgraded to 'BBB' from 'BBB+' in 2019, after a 2017 cyber attack contributed to operating and liquidity issues later exacerbated by several strategic investments. (see "Princeton Community Hospital, WV Refunding Revenue Bond Rating Lowered To 'BBB' On Operating Losses," Nov. 23, 2019).
- The city of Texakarna, Texas, which had a 'AA' rating suspended by S&P Global Ratings in February 2022 due to a delay to its audits caused by a data loss resulting from a ransomware attack in December 2020 (see "Texarkana, TX 'AA-' GO Debt Rating Suspended Due To Lack of Timely Information," Feb. 17, 2022).
Our analysts highlighted how issuers can reduce the risk of a successful attack, and mitigate the effects of a breach through planning and cyber risk management processes. And they discussed how we look for evidence of such planning and how that informs our assessment of a company's credit risk.
"We look at whether issuers have identified key assets, what have they done to protect them…, how they plan to respond to an ongoing attack and how they will recover," said Nik Khakee, Managing Director, Criteria SME for Ratings & Methodologies and head of the cross practice Cyber Expert Focus Team at S&P Global Ratings. "There is no magic set of questions that we are seeking to answer, all of our questions are aligned to getting information on those subjects, at a high level."
There was also guidance on what our analysts look for from an organization during and in the immediate aftermath of a breach, and recognition that the full financial and reputational impact of an attack can take months, or years, to come to full fruition.
"Our playbook for a cyber related event is not materially different than trying to evaluate a typical credit that is under stress," said Minesh Shilotri, Associated Director Corporate Ratings S&P Global Ratings. "The goal for an analyst…is to focus on short- and long-term factors that will affect the business's financial metrics. That includes any changes in immediate liquidity, litigation risks, and then in the longer term trying to assess the impact of revenue declines, and additional costs and investment beyond one-time expenses."
A Constant And Growing Threat
The increasing volume of cyber attacks and their financial and reputational costs, underpins the importance of effective cyber risk management.
"A recent IBM [Cost of a Data Breach] Report found that the average cost to recover was $4.35 million, and that is without the ransom included," Paul Alvarez, Cyber Risk Expert at S&P Global Ratings said on a panel discussing the cyber risk state of play . "The threat is constantly evolving to become more effective in terms of monetizing attacks."
The increased number of ransomware attacks, which seek to extort money following a cyber breach, was described in S&P Global's "Cyber Trends and Credit Risks," published on Oct. 25. 2022. The report noted that the volume of attacks has increased 25% so far in 2022, compared to the same period in 2021, and highlighted the extent to which many organizations remained ill-prepared to deal with the threat.
The Cyber Risk Seminar panel also discussed new trends among attackers, including leveraging reputational damage from a data leak (a practice known as "double extortion"), the emergence of providers of ransomware-as-a-service, the deployment of so-called "blended attacks" that use disinformation to distract from a more malicious attack, and increasing sophistication in targeting.
"A lot of attackers are going after M&A targets," said Anna Loshkareva, Senior Vice President and lead for Booz Allen's advanced cyber defense business. "They know that when the company is going through M&A (mergers and acquisitions) there is huge pressure to close the deal and the company is likely to pay the ransom."
Loshkareva added that it is critical to perform proper due diligence before making an offer, in order to understand a target company's security posture and incident response readiness, and that performing early cyber risk assessments, compromise assessments, and/or resiliency and breach assessments can provide valuable insights during the M&A process.
Toward A Sustainable Cyber Insurance Market
The means to mitigate cyber risk is evolving alongside the threat, though the seminar heard that cyber insurance remains in a state of flux, with a market still maturing to a position that can be considered beneficial for all stakeholders.
"Demand remains very high and supply is not matching that because capacity is still lacking from reinsurers and the capital market, for example in the form of insurance linked securities," said Manuel Adam Associate Director, Insurance Ratings, S&P Global Ratings, adding that growth in the size of the cyber insurance market is being driven by the increasing cost of policies rather than their increased volume.
Cyber insurance policies aren't the only area in which the market still has room to develop.
Deployment of cyber insurance remains patchy and dominated by the U.S., which accounts for about three-quarters of insurance coverage, noted Sharon Haran, Vice President, Europe, Parametrix Insurance. He also highlighted the need to come to terms with systemic risk, particularly given widely used cloud-based services, and the damage that wide scale outages due to cyber incidents could cause.
We have previously noted that those same risks demand that the insurance sector comes to terms with, and makes explicit, elements that will be excluded from cyber insurance policies as well as those that should be covered. (see, "Cyber Risk In A New Era: The Rocky Road To A Mature Cyber Insurance Market," published July 26, 2022).
The Third Annual Cyber Risk Seminar is part of a series of events and articles by S&P Global Ratings focusing on how cyber risks affect credit analysis. Other events in the series include the "U.S. Public Finance: Cyber Risk Seminar" held in May, 2022, our Corporate Ratings team's "Cyber Spotlight: Cyber Risk", held in June, 2022, and "Cyber Risk: Learning from the Russia-Ukraine Conflict", held in April 2022. Replays of all the events will be available for one year from the date they were held.
Related Research
- Cyber Trends And Credit Risks, Oct. 25, 2022
- Cyber Brief: Multifactor Authentication Remains Effective But Not Impenetrable, Oct. 18, 2022
- Princeton Community Hospital, West Virginia Princeton; Hospital, Aug. 24, 2022
- Cyber Risk In A New Era: The Rocky Road To A Mature Cyber Insurance Market, July 26. 2022
- Cyber Security Should Be A Team Sport, Say Experts, July 18, 2022
- Cyber Threat Grows As Russia-Ukraine Conflict Persists, May 11, 2022
- Texarkana, TX 'AA-' GO Debt Rating Suspended Due To Lack of Timely Information, February 17, 2022
- ESG Brief: Cyber Risk Management In U.S. Public Finance, June 28, 2021
- SolarWinds Holdings Inc. Downgraded To 'B' On N-Able Divestment And Sunburst Breach-Related Costs, Outlook Stable, April 28, 2021
- Malta-Based Bank of Valletta PLC Downgraded To 'BBB-/A-3' On Internal Control Issues; Outlook Stable, July 31, 2019
- Princeton Community Hospital, WV Refunding Revenue Bond Rating Lowered To 'BBB' On Operating Losses, Nov. 23, 2019
This report does not constitute a rating action.
| Primary Credit Analyst: | Tiffany Tribbitt, New York + 1 (212) 438 8218; Tiffany.Tribbitt@spglobal.com |
| Secondary Contacts: | Simon Ashworth, London + 44 20 7176 7243; simon.ashworth@spglobal.com |
| Alexander J Gombach, New York + 1 (212) 438 2882; alexander.gombach@spglobal.com | |
| Nik Khakee, New York + 1 (212) 438 2473; nik.khakee@spglobal.com | |
| Minesh Shilotri, San Francisco + 1 (415) 371 5064; minesh.shilotri@spglobal.com | |
| Chloe A Pickett, Centennial + 1 (303) 721 4122; Chloe.Pickett@spglobal.com | |
| Andy A Hobbs, Dallas + 1 (972) 367 3345; Andy.Hobbs@spglobal.com | |
| Nico N DeLange, Sydney + 61 2 9255 9887; nico.delange@spglobal.com | |
| Paul Alvarez, Washington D.C. +1 2023832104; paul.alvarez@spglobal.com | |
| Martin J Whitworth, London +44 2071766745; martin.whitworth@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.