More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating.

Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks.

Getting Hacked Impacts Credit Scoring

As per the Wall Street Journal (WSJ), credit-rating agencies are placing greater emphasis on how companies handle cyberattacks. Cybersecurity has now become part of the assessment of creditworthiness. S&P Global Ratings analysts have revealed that companies and government agencies affected by cyberattacks have been downgraded due to IT outages, as well as the financial impact of the attacks.

Moody’s Investors Service and Fitch Ratings have also highlighted the dangers of cyber risks. In the event of a cyberattack, some financial consequences may be immediately apparent. Others may take months to materialize and could impact an organization’s ability to repay its debts.

Real-World Credit Rating Impact

Following the SolarWinds cyberattack in 2020, the company was downgraded by S&P from a B+ to a B rating. S&P’s associate director for corporate ratings, Minesh Shilotri, praised SolarWinds for its clear communication and speedy provision of security fixes to customers after the attack, as per the WSJ. However, the software company still suffered from the loss of clients and increased investment in security spending.

Even when companies work quickly to respond to cyberattacks, transparency and communication are vital. Credit rating agencies expect comprehensive details about any cyber incident. Any delay or ambiguity in communication could affect future creditworthiness.

Meanwhile, Chloe Pickett, S&P’s associate director for U.S. public finance ratings, revealed that the Princeton Community Hospital in West Virginia suffered a ransomware attack in 2017. The incident resulted in the center diverting ambulances for a month and losing a significant amount of revenue.

The Princeton Community Hospital attack was a contributing factor to S&P’s decision to downgrade the hospital’s rating from BBB+ to BBB in 2019. Along with the Covid-19 pandemic and the acquisition of a small nearby hospital, the cyberattack was also cited as a reason for S&P’s negative outlook in 2021. The disruption caused by the attack left the hospital in a weaker position to deal with other changes in its business.

World Bank Cybersecurity Guidelines

The World Bank has also chimed in on the impact of cybersecurity and credit reporting. The World Bank’s Cybersecurity In Credit Reporting Guidelines states:

“Widespread cyber incidents can trigger lenders to curtail credit granting in response to fears of widespread frauds that could emanate from such data incidents. The resultant credit rationing can then impact on both aggregate demand by individuals and firms’ profitability.”

The credit reporting cyber ecosystem is experiencing a noteworthy transformation overall, as per the World Bank report. This is driven by changes in the credit reporting landscape. The entry of new data providers, the advent of novel technologies and the expansion of diverse data sets all impact how credit is evaluated worldwide.

As per the World Bank, security controls safeguard the confidentiality, integrity and availability of processed, stored and transmitted information. And these controls must adhere to a set of predefined security requirements.

The World Bank states that cybersecurity focus areas should include:

• Data privacy
• Awareness and education
• Information sharing and communications
• Resilience
• Identity and access management
• Asset management
• Change and configuration management
• Software security
• Third-party management
• Physical security
• Network security
• End-point security
• Data protection
• Threat and vulnerability management
• Event logging and monitoring.

Steps to Develop a Cybersecurity and Data Privacy Strategy

While the task may seem daunting, success remains in an organized effort to move forward. Some steps (adapted for this article) outlined by the World Bank report include:

1. Prioritize critical assets: Create an IT asset inventory (data, physical devices, information systems and software) that support critical business processes. Identify the potential effect (financial, operational and reputational) on the organization if those assets are compromised. Assign a criticality rating to each asset.
2. Understand the threats (threat intelligence): Identify threat actors (state-sponsored entity, organized crime, hacktivist, malicious insider, etc.) relevant to the organization. Rank them by capability and motivation to compromise critical assets.
3. Assess current state: Conduct a candid assessment of current cyber capabilities and performance using an industry-recognized cyber framework (for example, NIST Cybersecurity Framework).
4. Define the future state: Set the vision and long-term goals for the cybersecurity function, accounting for the organization’s strategic goals. These goals should set the course for the future of the organization’s cybersecurity.
5. Create an implementation plan: Conduct a gap analysis between the current cyber capabilities and the desired future state. Identify initiatives that would help bridge the gap. Estimate the cost and level of effort for each initiative, and determine the security benefit each would provide. Create a list of initiatives in a multiyear timeline, assigning a high priority to those that provide favorable cost/benefit/effort ratios.
6. Implement and track progress: Assign necessary resources to implement the security plan. Track key performance indicators and frequently report progress to senior management.

Cybersecurity Strategy is Business Strategy

More than ever, the impact of cyber risk continues to penetrate core business decision-making. Given the risks, regulatory bodies and credit agencies will likely become more proactive in their assessments. It won’t be enough to report only when a breach occurs. The World Bank mentioned “predefined security requirements”. This could mean that organizations will increasingly demand compliance when it comes to security evaluation.

Legislation such as DFARS (Defense Federal Acquisition Regulation Supplement), FISMA (Federal Information Security Management Act), HIPAA (Health Insurance Portability and Accountability Act) and ISO standards already have established cybersecurity compliance requirements. Similar measures may become required in the future to gain favorable credit ratings.