More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating.

Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks.

Getting hacked impacts credit scoring

As per the Wall Street Journal (WSJ), credit-rating agencies are placing greater emphasis on how companies handle cyberattacks. Cybersecurity has now become part of the assessment of creditworthiness. S&P Global Ratings analysts have revealed that companies and government agencies affected by cyberattacks have been downgraded due to IT outages, as well as the financial impact of the attacks.

Moody’s Investors Service and Fitch Ratings have also highlighted the dangers of cyber risks. In the event of a cyberattack, some financial consequences may be immediately apparent. Others may take months to materialize and could impact an organization’s ability to repay its debts.

Real-world credit rating impact

Following the SolarWinds cyberattack in 2020, the company was downgraded by S&P from a B+ to a B rating. S&P’s associate director for corporate ratings, Minesh Shilotri, praised SolarWinds for its clear communication and speedy provision of security fixes to customers after the attack, as per the WSJ. However, the software company still suffered from the loss of clients and increased investment in security spending.

Even when companies work quickly to respond to cyberattacks, transparency and communication are vital. Credit rating agencies expect comprehensive details about any cyber incident. Any delay or ambiguity in communication could affect future creditworthiness.

Meanwhile, Chloe Pickett, S&P’s associate director for U.S. public finance ratings, revealed that the Princeton Community Hospital in West Virginia suffered a ransomware attack in 2017. The incident resulted in the center diverting ambulances for a month and losing a significant amount of revenue.

The Princeton Community Hospital attack was a contributing factor to S&P’s decision to downgrade the hospital’s rating from BBB+ to BBB in 2019. Along with the Covid-19 pandemic and the acquisition of a small nearby hospital, the cyberattack was also cited as a reason for S&P’s negative outlook in 2021. The disruption caused by the attack left the hospital in a weaker position to deal with other changes in its business.

World bank cybersecurity guidelines

The World Bank has also chimed in on the impact of cybersecurity and credit reporting. The World Bank’s Cybersecurity In Credit Reporting Guidelines states:

“Widespread cyber incidents can trigger lenders to curtail credit granting in response to fears of widespread frauds that could emanate from such data incidents. The resultant credit rationing can then impact on both aggregate demand by individuals and firms’ profitability.”

The credit reporting cyber ecosystem is experiencing a noteworthy transformation overall, as per the World Bank report. This is driven by changes in the credit reporting landscape. The entry of new data providers, the advent of novel technologies and the expansion of diverse data sets all impact how credit is evaluated worldwide.

As per the World Bank, security controls safeguard the confidentiality, integrity and availability of processed, stored and transmitted information. And these controls must adhere to a set of predefined security requirements.

The World Bank states that cybersecurity focus areas should include:

Steps to develop a cybersecurity and data privacy strategy

While the task may seem daunting, success remains in an organized effort to move forward. Some steps (adapted for this article) outlined by the World Bank report include:

  1. Prioritize critical assets: Create an IT asset inventory (data, physical devices, information systems and software) that support critical business processes. Identify the potential effect (financial, operational and reputational) on the organization if those assets are compromised. Assign a criticality rating to each asset.
  2. Understand the threats (threat intelligence): Identify threat actors (state-sponsored entity, organized crime, hacktivist, malicious insider, etc.) relevant to the organization. Rank them by capability and motivation to compromise critical assets.
  3. Assess current state: Conduct a candid assessment of current cyber capabilities and performance using an industry-recognized cyber framework (for example, NIST Cybersecurity Framework).
  4. Define the future state: Set the vision and long-term goals for the cybersecurity function, accounting for the organization’s strategic goals. These goals should set the course for the future of the organization’s cybersecurity.
  5. Create an implementation plan: Conduct a gap analysis between the current cyber capabilities and the desired future state. Identify initiatives that would help bridge the gap. Estimate the cost and level of effort for each initiative, and determine the security benefit each would provide. Create a list of initiatives in a multiyear timeline, assigning a high priority to those that provide favorable cost/benefit/effort ratios.
  6. Implement and track progress: Assign necessary resources to implement the security plan. Track key performance indicators and frequently report progress to senior management.

Cybersecurity strategy is business strategy

More than ever, the impact of cyber risk continues to penetrate core business decision-making. Given the risks, regulatory bodies and credit agencies will likely become more proactive in their assessments. It won’t be enough to report only when a breach occurs. The World Bank mentioned “predefined security requirements”. This could mean that organizations will increasingly demand compliance when it comes to security evaluation.

Legislation such as DFARS (Defense Federal Acquisition Regulation Supplement), FISMA (Federal Information Security Management Act), HIPAA (Health Insurance Portability and Accountability Act) and ISO standards already have established cybersecurity compliance requirements. Similar measures may become required in the future to gain favorable credit ratings.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today