Cyber breaches already impact an organization’s regulatory standing and reputation. Now breaches, along with poor cyber risk management, can impact an organization’s credit rating as well. Two financial services firms recently announced that they will now factor cyber risk into their credit rating evaluations.
Both Moody’s Investors Service and Standard & Poor have reached a similar conclusion: Cyber risks have the potential to significantly weaken organizations in significant ways. Their decision adds a new financial concern for companies not taking enough action or the right kind of actions to strengthen their cybersecurity and lower their cyber risks.
Moody’s — Now Weighting Cyber Risks
Moody’s released a report in late 2015, “Cross Sector – Global: Cyber Risk of Growing Importance to Credit Analysis,” announcing that the firm will now place more weight on considerations related to cyber risks when issuing credit ratings.
Moody’s said industries that house significant amounts of personal data, such as financial institutions, health care entities, higher education organizations and retail companies, are at the greatest risk for experiencing large-scale data theft attacks resulting in serious reputational and financial damage.
In the report, Moody’s identifies several key factors to examine when determining a credit impact associated with a cyber event, including the nature and scope of the targeted assets or businesses, the duration of potential service disruptions and the expected time to restore operations. Moody’s stated that it views material cyber threats in a similar vein as other extraordinary event risks, such as natural disasters, in which any subsequent credit impact is weighted according to the duration and severity of the event.
“Our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those stress scenarios,” explained Jim Hempstead, Moody’s associate managing director and lead author of the report.
S&P — Holding Financial Firms Accountable
In September, S&P issued a similar warning, stating that it would downgrade the credit ratings of financial institutions with poor cybersecurity protection. The firm stated that lenders could have their ratings lowered if they fail to protect themselves from cyber attacks or damaging breaches. S&P said it sees cybersecurity affecting credit ratings in two ways: the bank’s reputation and monetary damage caused to the bank.
The issue is particularly crucial at banks, stated S&P, because they play a key role in the world economy, making them high-value targets for attackers. “…we view weak cybersecurity as an emerging threat that has the potential to pose a higher risk to financial firms in the future, and possibly result in downgrades,” the ratings company stated.
“Large financial organizations are faced with a daily barrage of attacks from hackers leaving no port unprobed,” reported SC Magazine. “The threats range from hostile governments to terrorists and even company insiders. … the issue has come to the forefront of the banking world as now more than ever this is a huge risk for the sector when lending money.”
Building a Stronger Security Defense with Risk Analysis
The good news is that organizations can avoid a credit rating downgrade by bolstering their cybersecurity defense in a number of critical ways. The best place to start is to identify possible risks to the confidentiality, integrity and availability of an organization’s sensitive information and to determine the most proactive response to reduce the identified risks. A key step in identifying and responding to risks is by conducting an organization-wide risk analysis.
There are several options for conducting a risk analysis. For example, the National Institute of Standards and Technology (NIST) provides a proven cybersecurity risk-analysis framework that guides organizations through the five key stages: identify, protect, detect, respond and recover.
Organizations gain several benefits from conducting a risk analysis as the foundation of their cybersecurity operations including:
- Continuous process improvement
- Marketplace differentiation
- Legal and regulatory compliance
- Better cloud security
- Proactive vs. reactive security management
- Program defensibility
These six benefits provide several advantages — including the opportunity to avoid a credit rating downgrade.
Contact us today for more information about how we help organizations to build and improve their cybersecurity and information risk management programs.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.