More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating.

Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks.

Getting Hacked Impacts Credit Scoring

As per the Wall Street Journal (WSJ), credit-rating agencies are placing greater emphasis on how companies handle cyberattacks. Cybersecurity has now become part of the assessment of creditworthiness. S&P Global Ratings analysts have revealed that companies and government agencies affected by cyberattacks have been downgraded due to IT outages, as well as the financial impact of the attacks.

Moody’s Investors Service and Fitch Ratings have also highlighted the dangers of cyber risks. In the event of a cyberattack, some financial consequences may be immediately apparent. Others may take months to materialize and could impact an organization’s ability to repay its debts.

Real-World Credit Rating Impact

Following the SolarWinds cyberattack in 2020, the company was downgraded by S&P from a B+ to a B rating. S&P’s associate director for corporate ratings, Minesh Shilotri, praised SolarWinds for its clear communication and speedy provision of security fixes to customers after the attack, as per the WSJ. However, the software company still suffered from the loss of clients and increased investment in security spending.

Even when companies work quickly to respond to cyberattacks, transparency and communication are vital. Credit rating agencies expect comprehensive details about any cyber incident. Any delay or ambiguity in communication could affect future creditworthiness.

Meanwhile, Chloe Pickett, S&P’s associate director for U.S. public finance ratings, revealed that the Princeton Community Hospital in West Virginia suffered a ransomware attack in 2017. The incident resulted in the center diverting ambulances for a month and losing a significant amount of revenue.

The Princeton Community Hospital attack was a contributing factor to S&P’s decision to downgrade the hospital’s rating from BBB+ to BBB in 2019. Along with the Covid-19 pandemic and the acquisition of a small nearby hospital, the cyberattack was also cited as a reason for S&P’s negative outlook in 2021. The disruption caused by the attack left the hospital in a weaker position to deal with other changes in its business.

World Bank Cybersecurity Guidelines

The World Bank has also chimed in on the impact of cybersecurity and credit reporting. The World Bank’s Cybersecurity In Credit Reporting Guidelines states:

“Widespread cyber incidents can trigger lenders to curtail credit granting in response to fears of widespread frauds that could emanate from such data incidents. The resultant credit rationing can then impact on both aggregate demand by individuals and firms’ profitability.”

The credit reporting cyber ecosystem is experiencing a noteworthy transformation overall, as per the World Bank report. This is driven by changes in the credit reporting landscape. The entry of new data providers, the advent of novel technologies and the expansion of diverse data sets all impact how credit is evaluated worldwide.

As per the World Bank, security controls safeguard the confidentiality, integrity and availability of processed, stored and transmitted information. And these controls must adhere to a set of predefined security requirements.

The World Bank states that cybersecurity focus areas should include:

Steps to Develop a Cybersecurity and Data Privacy Strategy

While the task may seem daunting, success remains in an organized effort to move forward. Some steps (adapted for this article) outlined by the World Bank report include:

  1. Prioritize critical assets: Create an IT asset inventory (data, physical devices, information systems and software) that support critical business processes. Identify the potential effect (financial, operational and reputational) on the organization if those assets are compromised. Assign a criticality rating to each asset.
  2. Understand the threats (threat intelligence): Identify threat actors (state-sponsored entity, organized crime, hacktivist, malicious insider, etc.) relevant to the organization. Rank them by capability and motivation to compromise critical assets.
  3. Assess current state: Conduct a candid assessment of current cyber capabilities and performance using an industry-recognized cyber framework (for example, NIST Cybersecurity Framework).
  4. Define the future state: Set the vision and long-term goals for the cybersecurity function, accounting for the organization’s strategic goals. These goals should set the course for the future of the organization’s cybersecurity.
  5. Create an implementation plan: Conduct a gap analysis between the current cyber capabilities and the desired future state. Identify initiatives that would help bridge the gap. Estimate the cost and level of effort for each initiative, and determine the security benefit each would provide. Create a list of initiatives in a multiyear timeline, assigning a high priority to those that provide favorable cost/benefit/effort ratios.
  6. Implement and track progress: Assign necessary resources to implement the security plan. Track key performance indicators and frequently report progress to senior management.

Cybersecurity Strategy is Business Strategy

More than ever, the impact of cyber risk continues to penetrate core business decision-making. Given the risks, regulatory bodies and credit agencies will likely become more proactive in their assessments. It won’t be enough to report only when a breach occurs. The World Bank mentioned “predefined security requirements”. This could mean that organizations will increasingly demand compliance when it comes to security evaluation.

Legislation such as DFARS (Defense Federal Acquisition Regulation Supplement), FISMA (Federal Information Security Management Act), HIPAA (Health Insurance Portability and Accountability Act) and ISO standards already have established cybersecurity compliance requirements. Similar measures may become required in the future to gain favorable credit ratings.

More from Data Protection

Beyond Requirements: Tapping the Business Potential of Data Governance and Security

3 min read - Doom and gloom. Fear, uncertainty and doubt. The "stick" versus the "carrot". What do these concepts have in common? They have often provided the primary motivation for organizations’ data governance and security strategies. For the enterprise, this mindset has perpetuated the idea that data governance, data security and data privacy are reactive cost centers existing due to externally imposed requirements or mandates. Yet, what if data governance and security practices could upend the prevailing paradigm and demonstrate direct business value?…

3 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read

Understanding the Backdoor Debate in Cybersecurity

3 min read - The debate over whether backdoor encryption should be implemented to aid law enforcement has been contentious for years. On one side of the fence, the proponents of backdoors argue that they could provide valuable intelligence and help law enforcement investigate criminals or prevent terrorist attacks. On the other side, opponents contend they would weaken overall security and create opportunities for malicious actors to exploit. So which side of the argument is correct? As with most debates, the answer isn't so…

3 min read