• The cyber threat to corporate issuers is predominantly concentrated in sectors that have critical infrastructure systems that are highly sensitive to business interruption or have extensive and sensitive customer data, technology, or intellectual property (IP).
• S&P Global Ratings credit analysts believe business interruption and reputational damage are the most acute credit risks from cyberattacks for corporates.
• While rating actions related to cyber risk have been modest to date, risk levels remain elevated amid increasing technological dependency and global interconnectedness. Our analysis of cyber incidents across our rated companies illustrates the growing likelihood for more significant impact on companies' business and financial profiles.

• Rating: A/Stable/--
• Sector: Midstream Utilities
• Attack type: Ransomware
• Rating considerations: Cash flow/leverage

Colonial reported a ransomware attack on May 7, 2021. The company temporarily halted operations and took certain systems offline to contain the threat—it shut down 5,500 miles of pipeline, leading to a disruption of nearly half of the East Coast fuel supply and causing gasoline shortages. The company also engaged a third-party cyber security firm to support it through this process at a cost of roughly $5 million.

Colonial had periodically endured temporary curtailments for one-off events such as hurricanes or pipeline spills, without a credit deterioration. Volumes for certain refined products were also already running lower than 2019 levels because of the COVID-19 pandemic. Gasoline and jet fuel demand were just beginning to recover to pre-pandemic levels, further mitigating the impact. As a result, the incident did not materially alter our 2021 base-case forecast of an adjusted debt-to-EBITDA ratio of 3x-3.5x or breach our downgrade trigger of sustained leverage above 3.5x.

Following the cyberattack, Colonial employed additional cybersecurity measures to protect its IT systems and recovered a significant portion of the total costs related to the incident from insurance. We estimate the total cost of the incident had no material impact on the company's cash flow profile. However, the company is currently subject to three class action lawsuits that may cause additional liabilities.

The event highlighted the vulnerability of critical infrastructure to cyberattacks, especially as operations become more digitized. Some companies may have business interruption insurance that could mitigate such events. While this event didn't immediately affect credit quality, prolonged reduced operations could resonate throughout the energy landscape. It also highlighted the potential spill over effects that cyberattacks could have on third parties and related end markets. This contributed to congressional passage of new cyber requirements for critical infrastructure firms, obligating them to alert the government within three days of a cyberattack and within one day if ransom is paid.

• Rating: BBB-/Stable/--
• Sector: Consumer Products
• Attack type: Ransomware
• Rating considerations: Management/Governance

On May 30, 2021, JBS USA Lux S.A. reported its systems were attacked in a ransomware incident. Its U.S. beef and Australian operations were affected, representing 40%-45% of JBS' revenue and EBITDA in the prior 12 months. It estimated that 20% of its U.S. plants were offline after the ransomware attack, but it didn't affect the Mexican and U.K. operations that are also under JBS USA Lux. The company's quick action, robust technological systems, and support from the White House, the USDA, and FBI enabled it to rapidly resolve the situation. Production resumed completely one day after the attack, and according to the company there was no data breach or privacy leak. In our view, the impact of the cyber incident did not have any material impact on the company's market standing, cash position, or cash generation.

There was no ratings impact largely because of the company's sufficient balance sheet cushion (see "JBS S.A. Upgraded To 'BBB-' From 'BB+' On Longer Record Of Improved Governance Standards, Outlook Stable", June 2, 2021). Given the procurement dynamics of the U.S. beef industry with record high margins at the time, we believed even higher profitability would mitigate the impact of lost volumes if the temporary shutdown led to higher prices. Volumes were quickly restored and market prices were not affected, with no lasting impact on JBS' credit metrics and cash generation.

At the time, we assessed JBS' management and governance (M&G) assessment as weak because of corruption scandals involving the company and its owners in 2017 that led JBS to refinance all its bank debts. For the past several years, JBS has consistently implemented stronger control scrutiny, added senior positions in compliance and risk, and exhibited more conservative financial policy to contain leverage, including its strategic approach to M&A and shareholders' remuneration. JBS' owners that were involved left the company and it increased the number of independent board members and market professionals in the executive team. Family members still hold senior positions, but we believe there is less reliance on key personnel for strategic decisions.

Because of the above, we have revised our M&G assessment to fair from weak in June 2022, which led us to raise the rating to 'BBB-' from 'BB+'. In our view, the fair assessment indicates ongoing improvements but still reflects weaker governance and risk controls when compared to other industry peers.

• Rating: B/Stable/--
• Sector: Tech Software
• Attack type: Malware
• Rating considerations: Competitive position and cash flow/leverage

On Dec. 14, 2020, SolarWinds Holdings Inc. reported a malware cyberattack (Sunburst breach) that inserted a vulnerability into its Orion monitoring products, allowing the compromise of servers on which Orion products run. The vulnerability was inserted into updates released between March and June 2020. Orion products represented 45% of its total revenues. Of the more than 300,000 SolarWinds customers, 33,000 were active maintenance customers of Orion. The company estimated fewer than 18,000 customers had installed the version of Orion that contained the vulnerability.

On Dec. 22, 2020, we placed our rating on SolarWinds on CreditWatch with negative implications, as new information indicated the potential for serious harm to affected clients. We specifically noted an increased negative risk to new sales and of attrition in the existing customer base.

In April 2021, we downgraded SolarWinds Holdings Inc. to 'B' with a stable outlook, with the cyber incident a contributing factor. Although the company managed the incident well, facilitating recovery and remediation through proactive communication, it nonetheless resulted in lower revenue growth, higher costs, and lower profitability in 2021. At the time, we forecasted a decline in its renewal rates (dropping to the low-80% area from the low-90% area prior to the Sunburst breach) and up to $25 million of annual costs to boost its security initiatives. These contributed to an increase in S&P Global Ratings'-adjusted gross debt to EBITDA to above 6x, along with the divestment of N-able, its managed service provider business. Almost two years on, while renewal rates have ticked up to historical (pre-breach) levels, the company continues to face growth headwinds due to the lingering effects of the breach on net new business. The breach remains a materially negative social factor in our consideration of credit-relevant ESG risks in our rating, weighing on our assessments of the company's competitiveness and financial performance.

• Rating: BBB-/Positive/--
• Sector: Telecom
• Attack type: Data breach
• Rating considerations: Competitive position, cash flow/leverage, liquidity, and management and governance

On Aug. 16, 2021, T-Mobile reported a data breach, estimating that about 7.8 million post-paid accounts, or about 30% of its total post-paid subscriber base at the time were affected, as well as 40 million records of former and prospective customers. The data, which included names, phone numbers, addresses, birth dates, social security numbers, and driver's license information, was stolen and offered for sale. T-Mobile disclosed that it was working with Mandiant to develop a strategic plan to boost its overall cybersecurity. KPMG was also instructed to review T-Mobile's security policies to identify any gaps and areas that needed to be improved.

The cyberattack had no ratings impact as the company had sufficient financial flexibility to absorb the near-term costs associated with the data breach, including robust liquidity and cash flow generation (see "The Recent Cyberattack On T-Mobile US Could Hurt Its Reputation And Make It More Difficult To Attract Postpaid Customers", Aug. 31, 2021). Indeed, this allowed the company to absorb $350 million in lawsuit settlement costs and a requirement to invest $100 million annually to upgrade network protection capability without a material credit impact.

However, we added that the incident posed potential reputational risk for T-Mobile given the scope of the data breach. In our view, the most significant longer-term risk for T-Mobile was the potential loss of confidence of its existing customers in the security of their personal information and the possibility of higher churn to other carriers and fewer gross subscriber additions, especially in its high-margin post-paid segment. The attack also raised our concern about T-Mobile's ability to address its risks and whether it had a sufficiently comprehensive cybersecurity strategy.

That said, the cyberattack ultimately did not affect operating or financial performance. In fact, during the second quarter of 2022, T-Mobile reported service revenue growth of 6%, post-paid phone net adds of 723,000, and record low post-paid phone churn of 0.8%. Furthermore, on Aug. 5, 2022, we raised the issuer credit rating on T-Mobile to 'BBB-' with a positive outlook based on performance and improving credit metrics.

• Rating: Not rated
• Sector: Travel and Leisure
• Attack type: Malware
• Rating considerations: Competitive position, Cash flow/leverage, Liquidity, and Management/Governance

On Jan. 2, 2020, U.K.-based Travelex Holdings Ltd. reported a malware attack had compromised its online services requiring it to take its systems offline. The malware primarily affected Travelex's online service segment, and the decision to take the system offline as a precautionary measure consequently affected online services including those of its customers such as Tesco, Sainsbury's, HSBC, and Virgin Money. Besides the breaches of service level agreement terms with its customers, reputational damage from this incident had the potential to affect Travelex's market standing and its ability to successfully renew outsourcing contracts.

On Jan. 9, 2020, we put our ratings on Travelex on CreditWatch with negative implications (see "Travelex Holdings Ltd. 'B-' Ratings Placed On CreditWatch Negative On Cyber Attack Disruption"). While the full extent of the disruption wasn't known at that point, we commented that the disruption would affect Travelex's reputation and brand and raised concerns about the strength and adequacy of its governance and internal controls. We revised Travelex's management and governance assessment to weak from fair based on the time involved to resolve the breach and the reputational damage sustained through public media coverage of the incident. With Travelex's highly leveraged stand-alone capital structure and its rating headroom reduced, the scale and extent of the cyberattack also raised questions about its creditworthiness on a stand-alone basis.

We downgraded Travelex to 'CCC' on March 4, 2020, based on knock-on effects of the ransomware attack combined with lower transaction volumes from COVID-19, reducing underlying EBITDA for the first quarter of 2020 by £25 million. The company successfully restored all its customer-facing systems in a phased and controlled program, reducing the effect of the malware for the rest of the year. The company recovered some of the cost through a cyber-insurance policy. That said, the timing of the insurance payments and any regulatory implications of these attacks wasn't determined at the time of this rating action. We also commented that the COVID-19 disruption and its effect on full-year earnings could lead to a deeply unsustainable capital structure.

• Rating: A+/Stable/--
• Sector: Automotive
• Attack type: Malware
• Rating Considerations: Competitive position and cash flow/leverage

On March 1, 2022, Toyota was forced to suspended operations on all of its 28 lines at 14 domestic plants in Japan, including the plants at its subsidiaries Daihatsu Motor Co. Ltd. and Hino Motors Ltd. The suspension lasted for a day because of a malware attack on one of its domestic suppliers, Kojima Industries Corp.

The impact was relatively limited as Toyota was able to dispatch a support team to help Kojima resolve its system issues. In all, the production of about 13,000 vehicles were affected, compared to global sales of more than 9.6 million in fiscal 2021 (ended March 31, 2022). Had the production outage lasted longer, Toyota could have experienced a more meaningful decline in cash flows.

Despite the limited impact, the malware attack highlights potential vulnerabilities within a rated issuer's supply chain. As supply chains become increasingly complex, and an important competitive differentiator, companies will find it more difficult to manage cyber risks across the value chain. Attackers need only find vulnerabilities at smaller suppliers with weak cyber defenses to cause material disruption across the supply chain.

The cyberattack also highlights the need for greater vigilance in the Asia-Pacific region. Though cyberattacks are more widely disclosed in the U.S. and Europe, high-profile cyberattacks have increased in Asia in the past year.

• Rating: BB-/Stable/--
• Sector: Telecom
• Attack type: Denial of service
• Rating considerations: Competitive position, cash flow/leverage, and liquidity

In February 2022, Viasat's KA-SAT network (its satellite over Europe, the Middle East, and Africa) was subject to a denial-of-service (DoS) cyberattack that resulted in a partial interruption to its consumer broadband service. The attack, which was first reported in March 2022, was isolated to a consumer-focused part of its KA-SAT network affecting a minority of its users, including several thousand customers located in Ukraine and tens of thousands of fixed-broadband customers across Europe. The attack did not affect users on Viasat's other networks. The KA-SAT network, which Viasat had acquired in 2021, was managed by Skylogic, a subsidiary of Eutelsat S.A. Viasat stabilized the network in the days following the attack and continued to provide broadband service to its customers. Still, the breach garnered global media attention due to speculation that the attack had emanated from Russian hackers attempting to disrupt communications during Russia's invasion of Ukraine.

In April 2022, we commented that the attack would not have a material impact on Viasat's creditworthiness and that there was no ratings impact, though we would monitor the company's operating performance over the coming quarters to determine whether the incident led to increased customer attrition or lower bookings (see "Viasat Inc.'s Creditworthiness Will Likely Be Unaffected By The Recent Cyberattack Against Its KA-SAT Network").

We concluded there would be no immediate credit impact because we expected limited revenue losses from the service interruption since the vast majority of Viasat's global customer base was unaffected, and the company was in the process of restoring service to those affected. In addition, we expected only a modest increase in Viasat's operating costs to resolve the incident, mostly related to shipping and testing costs associated with replacing customer equipment. As a result, we expected Viasat to maintain credit metrics that supported the rating. Further, because Viasat was operating under a transition agreement with Skylogic to operate and support the ground segment operations of the KA-SAT network at the time of the attack, we did not view the incident as indicative of a material deficiency in Viasat's risk management or governance practices. In addition, the fact that Viasat was not operating the network infrastructure reduced the risk of reputational damage, in our view.

Although we did not anticipate the incident would have a near-term effect on our rating on Viasat, we expected the company would incur additional costs over the long term such as higher insurance premiums for its cyber risk coverage, increased investment to implement enhanced security measures in its products and services, and potential litigation expenses. Still, we expected these costs would be modest and did not foresee them having a material effect on the company's credit metrics or business prospects.