Dive Brief:
- The costs from cyberattacks — including business interruption, ransomware payments and legal settlements — pose an increasing threat to company creditworthiness due to loss of customers, theft of intellectual property or a break in revenue flows, Moody’s Ratings said.
- A company raided by cybercriminals may face near-term strains in liquidity and higher debt costs, according to Moody’s. Yet the harm to credit from a cyberstrike may unfold over years as litigation and regulatory fines mount, Moody’s said, while noting that so far it has altered the ratings of just a small number of companies due to cyberattacks.
- “The frequency, sophistication and costs of cyberattacks have been growing each year,” Leroy Terrelonge, a VP at Moody’s Ratings, said Wednesday in an email response to questions. “Eventually, if current trends continue, without proper mitigation the financial impact could well become material enough to stress leverage ratios and credit quality.”
Dive Insight:
Cyberattacks in the U.S. surged to 480,000 in 2022 from 250,000 in 2016, a 92% increase, according to Statista.
“As more data becomes available — thanks to recently adopted disclosure requirements — attacks continue to proliferate,” Terrelonge said.
Despite the rising threat, companies and government offices still present cybercriminals with a broad “attack surface.”
More than a third of 1.4 million organizations worldwide operated last year with at least one among the “known exploited vulnerabilities” identified by the Cybersecurity and Infrastructure Security Agency, Bitsight, a cyber risk management company, said last month.
The potential setback to credit from a cyberattack varies among companies, Moody’s said.
“Cash-strapped debt issuers with low liquidity and high leverage are more susceptible to the negative credit effects of cyber incidents,” Moody’s said. “In contrast, issuers with diverse revenue streams, larger financial resources and ample liquidity — such as highly diversified companies, sovereigns and regional and local governments — are generally better insulated.”
Moody’s has shifted ratings in only 19 instances for 10 debt issuers, the ratings company said, noting that the organizations it rates are generally large and well prepared to cope with the costs of a cyberstrike.
“Nonetheless, as attack severity intensifies, costs increase, digitalization broadens and new technologies such as generative AI and quantum computing emerge, the potential for adverse credit effects is rising,” Moody’s said.
Business interruption and “incident response,” or efforts to contain an attack and recover from it, are most widely included in cyber insurance, Moody’s said, noting that disruption from ransomware attacks is usually the largest measurable cost.
Ransom payments, legal settlements, reputational damage and regulatory fines are also commonly included in cyber insurance policies, according to Moody’s.
Following a cyberstrike, credit monitoring services for customers and higher cyber insurance premiums may increase costs to a company, Moody’s said.