The increasing credit relevance of cybersecurity

The recent ransomware attack that shut down the Colonial Pipeline in the United States exemplifies the growing sophistication of cyberattacks over the past 12 months. Ever since the Colonial attack, there have been attacks involving the insurance sector in Asia, a European truck lease provider, a French distressed debt purchaser, and a global food company. All involved ransomware demands and highlighted attackers' ability to choose targets without regard for geography or sector.

Nor are attacks limited to listed firms: sovereign states and public institutions are acutely vulnerable, too. We have seen attacks on the US city of Hartford, numerous Texas school districts, and, more recently, on the Irish health-care system.

Not surprisingly, cyber risk is becoming an increasingly important factor in determining credit ratings. At S&P Global Ratings, we have seen more credit-relevant cyber events in the last six months than in the previous six years, and we routinely reflect on recent cyber developments to sharpen our focus. Our most recent assessments have reinforced many of our previous views, but our perspective on managing cyber risk continues to evolve.

Many of our rated entities, particularly in information technology and insurance, are seeing more opportunities emerge in cyber services. But firms would benefit from taking several steps to help mitigate the potential credit impact of cyberattacks.

First, swift action remains vital – as we saw recently in the wake of the cyberattack on the US insurer CNA. The company's prompt remedial measures – including communicating with employees, customers, brokers and agents, investors, and regulators – helped to limit the extent of the damage and allayed our initial concerns about the potential impact on its brand, reputation, and competitive position.

Second, while active prevention of cyber events is now becoming the norm, many cyberattacks are being structured in a way that makes them ever more difficult to uncover. Active detection will therefore become a competitive advantage.

We saw the importance of active detection in the case of SolarWinds Holdings Inc., which is widely reported to have suffered a cyber breach in early 2020 – several months before the firm noticed it. The time that elapsed from attack to detection increased the scale and magnitude of the event. The impact and cost of the attack contributed in part to S&P's recent downgrade of SolarWinds to B from B+.

Third, although the COVID-19 pandemic will likely increase senior executives' propensity to allocate funds to manage their firms' exposure to cyber risk, this is not enough. Given that a large proportion of cyber-related breaches can be traced to a deficient risk culture or human error, even sizeable cyber IT spending is not sufficient. Money alone cannot address this risk. We therefore expect to see more C-suite support for simulation exercises to gauge and probe preparedness.

Fourth, the credit impact in the wake of a cyberattack remains contingent on the type of attack and its underlying motive. Companies may suffer indirectly as a result of centralized, perhaps politically motivated attacks such as the SolarWinds and Microsoft Exchange Server episodes, but these may not always have direct financial and reputational consequences. Direct attacks on specific firms or institutions, which combine a balance-sheet event with material operational disruptions, are more likely to have ratings implications, particularly if they are poorly managed.

Fifth, companies are in a virtual arms race with attackers, so they need to get cyber risk basics right even to have a chance of staying one step ahead. Those with subpar governance standards will likely have a relatively weaker credit rating prior to any cyberattack. We will increasingly watch out for lax cyber governance standards in particular, and especially a lack of basic features such as employee training and software patching. Adequate and timely patching reduces firms' potential exposure to known vulnerabilities that cyber attackers often attempt to exploit.

We regard management of cyber risks as a category of overall operational risk management. Conventional and standard risk management and governance can be easily adapted, so it is important for companies to be aware of their cyber risk appetite and tolerance level. If a firm cannot stay one step ahead, it must ensure that it does not fall behind its peers. At a minimum, we would expect a company to have a reliable and fully tested data backup and recovery strategy.

Sixth, the next major threat to the global financial system could easily be cyber related, with more correlated risk and more rapid contagion than is currently anticipated. Companies and governments should plan accordingly. Depending on its magnitude and financial impact, as well as the success of mitigation efforts, such an event could trigger widespread rating actions. Companies with weaker balance sheets that lack adequate cyber insurance will more likely face credit rating pressure.

Insurers themselves are learning from pandemic-related ambiguity across their products, and this must remain a focus. The August 2020 cyberattack on New Zealand's stock exchange (NZX) should not have been unexpected, given the role the exchange plays in the financial system. NZX subsequently accepted that its technology resources and crisis-management planning needed improvements.

 Lastly, events over the past 12 months have highlighted the vulnerability of complex, interdependent production networks, making supply chains an increasing source of cyber risk in the coming years. As a number of recent attacks – including those on SolarWinds, the Microsoft Exchange Server, and Codecov – and the 2013 data breach at Target have highlighted, cyber risk governance must focus on the wider supply chain, including cyber standards at third-party providers.

Firms should make it part of their DNA to learn from past cyberattacks and take active measures to prevent and detect future threats. Given the importance of cyber-risk governance for credit ratings, the benefits of robust cybersecurity will likely extend beyond the digital realm.

Simon Ashworth is Head of Analytics and Research – Insurance at S&P Global Ratings.

Disclaimer: This article first appeared on Project Syndicate, and is published by special syndication arrangement.