now loading...
Wealth Asia Connect Middle East Treasury & Capital Markets Europe ESG Forum TechTalk
TechTalk / Viewpoint
The increasing credit relevance of cyber-security
Firms should seek to learn from past cyber-attacks and take active measures to prevent and detect future threats. Given the potential positive impact on their credit ratings, the benefits of robust cybersecurity will likely extend beyond the digital realm
Simon Ashworth 7 Jun 2021

The recent ransomware attack that shut down the Colonial Pipeline in the United States exemplifies the growing sophistication of cyber-attacks over the past 12 months. Ever since the Colonial attack, there have been attacks involving the insurance sector in Asia, a European truck lease provider, a French distressed debt purchaser, and a global food company. All involved ransomware demands and highlighted attackers’ ability to choose targets without regard for geography or sector.

Nor are attacks limited to listed firms: sovereign states and public institutions are acutely vulnerable, too. We have seen attacks on the US city of Hartford, numerous Texas school districts, and, more recently, on the Irish healthcare system.

Not surprisingly, cyber-risk is becoming an increasingly important factor in determining credit ratings. At S&P Global Ratings, we have seen more credit-relevant cyber-events in the last six months than in the previous six years, and we routinely reflect on recent cyber developments to sharpen our focus. Our most recent assessments have reinforced many of our previous views, but our perspective on managing cyber risk continues to evolve.

Many of our rated entities, particularly in information technology and insurance, are seeing more opportunities emerge in cyber-services. But firms would benefit from taking several steps to help mitigate the potential credit impact of cyber-attacks.

First, swift action remains vital – as we saw recently in the wake of the cyber-attack on the US insurer CNA. The company’s prompt remedial measures – including communicating with employees, customers, brokers and agents, investors, and regulators – helped to limit the extent of the damage and allayed our initial concerns about the potential impact on its brand, reputation and competitive position.

Second, while active prevention of cyber events is now becoming the norm, many cyberattacks are being structured in a way that makes them ever more difficult to uncover. Active detection will therefore become a competitive advantage.

We saw the importance of active detection in the case of SolarWinds Holdings, which is widely reported to have suffered a cyber-breach in early 2020 – several months before the firm noticed it. The time that elapsed from attack to detection increased the scale and magnitude of the event. The impact and cost of the attack contributed in part to S&P’s recent downgrade of SolarWinds to B from B+.

Third, although the Covid-19 pandemic will likely increase senior executives’ propensity to allocate funds to manage their firms’ exposure to cyber-risk, this is not enough. Given that a large proportion of cyber-related breaches can be traced to a deficient risk culture or human error, even sizeable cyber-IT spending is not sufficient. Money alone cannot address this risk. We therefore expect to see more C-suite support for simulation exercises to gauge and probe preparedness.

Fourth, the credit impact in the wake of a cyber-attack remains contingent on the type of attack and its underlying motive. Companies may suffer indirectly as a result of centralized, perhaps politically motivated attacks such as the SolarWinds and Microsoft Exchange Server episodes, but these may not always have direct financial and reputational consequences. Direct attacks on specific firms or institutions, which combine a balance-sheet event with material operational disruptions, are more likely to have ratings implications, particularly if they are poorly managed.

Fifth, companies are in a virtual arms race with attackers, so they need to get cyber-risk basics right even to have a chance of staying one step ahead. Those with sub-par governance standards will likely have a relatively weaker credit rating prior to any cyber-attack. We will increasingly watch out for lax cyber governance standards in particular, and especially a lack of basic features, such as employee training and software patching. Adequate and timely patching reduces firms’ potential exposure to known vulnerabilities that cyber-attackers often attempt to exploit.

We regard management of cyber-risks as a category of overall operational risk management. Conventional and standard risk management and governance can be easily adapted, so it is important for companies to be aware of their cyber-risk appetite and tolerance level. If a firm cannot stay one step ahead, it must ensure that it does not fall behind its peers. At a minimum, we would expect a company to have a reliable and fully tested data backup and recovery strategy.

Sixth, the next major threat to the global financial system could easily be cyber-related, with more correlated risk and more rapid contagion than is currently anticipated. Companies and governments should plan accordingly. Depending on its magnitude and financial impact, as well as the success of mitigation efforts, such an event could trigger widespread rating actions. Companies with weaker balance sheets that lack adequate cyber-insurance will more likely face credit-rating pressure.

Insurers themselves are learning from pandemic-related ambiguity across their products, and this must remain a focus. The August 2020 cyber-attack on New Zealand’s stock exchange (NZX) should not have been unexpected, given the role the exchange plays in the financial system. NZX subsequently accepted that its technology resources and crisis-management planning needed improvements.

 Lastly, events over the past 12 months have highlighted the vulnerability of complex, interdependent production networks, making supply chains an increasing source of cyber-risk in the coming years. As a number of recent attacks – including those on SolarWinds, the Microsoft Exchange Server, and Codecov – and the 2013 data breach at Target have highlighted, cyber-risk governance must focus on the wider supply chain, including cyber-standards at third-party providers.

Firms should make it part of their DNA to learn from past cyberattacks and take active measures to prevent and detect future threats. Given the importance of cyber-risk governance for credit ratings, the benefits of robust cyber-security will likely extend beyond the digital realm.

Simon Ashworth is Head of Analytics and Research – Insurance at S&P Global Ratings.

Copyright: Project Syndicate

Conversation
Yifan Hu
Yifan Hu
regional chief investment officer & head macroeconomics APAC
UBS Global Wealth Management
- JOINED THE EVENT -
17th Asia Bond Markets Summit - China Edition
Rebalancing in the transition journey
View Highlights
Conversation
Donald Chan
Donald Chan
managing director, Asia Pacific
CDP
- JOINED THE EVENT -
6th ESG Summit
Beyond the hype
View Highlights